Strange .htaccess redirections to

We are seeing something very strange on a few compromised sites lately. Instead ofdoing .htaccess redirections to malware sites, the attackers added the malware to redirect users to

This is what we are seeing on some hacked sites (.htaccess file):

RewriteEngine On

RewriteCond   %{HTTP_REFERER}   ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)

RewriteRule ^(.*)$ [R=301,L]

.. lots of empty lines/ white spaces ...
ErrorDocument 404

If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from searchengines (Google, Bing, Yahoo and even Twitter/Facebook) to instead of going to the real site.

Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can\'t say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). 🙂