Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About
Yesterday we listed www.google.com as being used for .htaccess conditional redirections on hacked sites. Google does no evil, so what happened?

We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to www.google.com if it comes from them or to the real malware if not.

This is the code:



So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests are coming from them, they ignore the connection and redirect to www.google.com.

That's why we were seeing www.google.com and listed it on our malware dump (already fixed).

For all the other users (the victims), the malware was contacting http://88.198.28.38/api.php?action=link to get the URL to redirect (generally in the .tk domain). Any questions, let us know.