However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some Russian domains. Here is what we’re seeing in the compromised .htaccess files:
If you are not sure what it is doing, it is basically redirecting any crawler (like Googlebot) and all your error pages to generation-internet.ru. The Russian domain is changing often and redirecting to places like http://programmpower.ru/force/index.php, powerprogramm.ru, programmengineering.ru, programmpower.ru, software-boss.ru and many others.
Here is a small list we have collected:
Sometimes outside of .ru domains:
What to do?
If you are seeing any of these redirects, we recommend that you check your .htaccess files ASAP and remove the offending code. You probably also have backdoors hidden in various directories so you have do to a full clean up of the whole site, update WordPress, change all the passwords, etc.
Note that these .htaccess attacks are nothing new. We have been tracking them for years and we even did an article explaining how they work: Understanding .htaccess attacks.
It seems they are piggybacking on the latest timthumb.php vulnerabilities to increase the number of sites under their control. They also compromise outdated sites (specially WordPress, Joomla and osCommerce), so if your site is not updated, it can get hacked even if you don’t have the timthumb.php script.