• How to discover and remove malicious redirects in the .htaccess file

     
    In most of the cases malicious redirects are made by hacking the .htaccess file. Also, after cleaning up the .htaccess file the malicious code is being added back to the file within 30 minutes. This is being done with “backdoor(s)” the hackers have placed on the website files.

    Here is a step-by-step guide on how to discover and remove these malicious redirects:

    1. Detect the symptoms:

    • Your site has a malware warning screen
    • Your site turns to blank page
    • Your site gets redirected to some Russian domain
    • Your site can’t be accessed from Google search
    • Your site redirects you back to Google
    • Your .htaccess file is infected
    • Your .htaccess file keeps getting infected no matter if you edit it back

    What these means is that someone hacked your site and modified your .htaccess file to redirect users coming from Google to a malware-infested site. Because of that, you end up blacklisted and losing users that can’t reach your site.

    That’s how the modified .htaccess file looks like:
    ==

    <IfModule mod_rewrite.c>
    RewriteEngine On
    
    RewriteCond %{HTTP_REFERER}
    
    ^.*(duckduckgo|ask|google|dogpile|archive|clusty|mahalo|mywebsearch|blekko|lycos|
    webcrawler|info|infospace|search|excite|goodsearch|altavista|live|msn|aol|yahoo|youtube
    |wikipedia|infoseek|bing|facebook|twitter|myspace|linkedin|flickr|deviantart|livejournal
    |tagged|badoo|mylife|ning|pinterest)\.(.*)
    
    RewriteRule ^(.*)$ http://google.com [R=301,L]

    ==

    2. Detect the malware type

    If you have the symptoms described above in most cases it’s Blackmuscats or Conditional redirects malware. To make sure what malware infected your Joomla! or WordPress site, check the .htaccess files under the document root and perfrom a malware sacn on the website files using Maldet or Clamscan.

     
    3. How to detect the malicious file?

    • It’s a good idea to check your website access logs
    • Check every folder for suspicious files
    • Scan website files using malware scanner.
    • Ask StopTheHacker for assistance.

     
    How to fix it?
    Fixing this redirection is very simple, you just need to delete these entries from your .htaccess file (you can have more than one, so check all your directories) and you are set. However, you still have to verify that you don’t have anything else hidden in there, so do a full scan of your web site to make sure you are clean.
    In addition to that, you still need to fix the problem that allowed you to get hacked. Most of the time it means updating your web application (WordPress, Joomla, etc), changing your passwords and cleaning your desktop.

    How to prevent malware infections on Joomla! site?

    • Keep your Joomla! website up to date.
    • Keep all your extensions up to date.
    • Do not download extensions from unknown sources.
    • Do not use “hacked”, “nulled” extensions on your site.

     
    If you find this article interesting you also may want to check out the following blog articles: “Consequences of your website being blacklisted by Google” and “How to change WordPress password without having the access to wp-admin”.

    Let us know what you think and want to learn about website security and malware! Connect With us on Google+ , Twitter and Facebook or even LinkedIn!

    If you liked this article let your friends, colleagues and family know and share it with them. Thank you!