This is just a short update on the .htaccess redirect attack that I wrote about last month.
I can still see many sites (mainly osCommerce-powered) that redirect search traffic to malicious sites. However, the pattern of the redirect URLs has changed.
Previously, the pattern was: example.ru/dir/index.php
Currently, I see the following patterns: example.ru/in.cgi?N and example.tk/in.cgi?N,
where example is a random second-level domain in the .ru or .tk zone, and N is a random number.
Here are some examples of the redirect URLs:
.ru domains point to the same IP: 91. 204 .48 .37 — S.point (Ukraine) and .tk domains have 3 A records:
wensdayprice .tk. 300 IN A 18.104.22.168 #Netherlands Dot Tk
wensdayprice .tk. 300 IN A 22.214.171.124 #Netherlands Taloha Inc
wensdayprice .tk. 300 IN A 126.96.36.199 #Netherlands Bv Dot Tk
The rest details about the attack can be found in my previous article – they are still valid. Just note, that the more I watch this this attack, the more I think it is really has to do with osCommerce vulnerabilities. So make sure to update it to the latest stable version and properly harden it.