We are seeing something very strange on a few compromised sites lately. Instead ofdoing .htaccess redirections to malware sites, the attackers added the malware to redirect users to msn.com.
This is what we are seeing on some hacked sites (.htaccess file):
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://msn.com [R=301,L]
.. lots of empty lines/ white spaces ...
ErrorDocument 404 http://msn.comIf you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from searchengines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.
Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can\'t say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). 🙂