However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some russian domains. That’s how the compromised .htaccess looks like:
If you are not sure what it is doing, it is basically redirecting any crawler (like Googlebot) and all your error pages to generation-internet.ru. The russian domain is changing often and it can be http://programmpower.ru/force/index.php, powerprogramm.ru, programmengineering.ru, programmpower.ru, software-boss.ru and many others.
This is a small list we collected:
Some times even not .ru domains:
What to do?
If you are seeing any of those redirects, we recommend that you check your .htaccess file asap and remove the offending code. You probably also have backdoors hidden in there, so you have do to a full clean up of the whole site, update WordPress, change all the passwords, etc.
Note that these .htaccess attacks are nothing new. We have been tracking them for years and we even did an article explaining how they work here: Understanding .htaccess attacks.
But it seems they are piggybacking on the latest timthumb.php vulnerabilities to increase the number of sites in their control. They also compromise outdated sites (specially WordPress, Joomla and osCommerce), so if your site is not updated, it can get hacked as well, even if you don’t have the timthumb.php script.
Leave a reply