Customer got hacked via .htaccess

5 points by sxsde 12 years ago | 4 comments
  • mschuster91 12 years ago
    Just wtf does this code do? Is it supposed to fake page views on that cavadini.savedalyfield.com site in line 40?

    Lines 4-8 make the whole stuff only match on people redirected to the hacked site by facebook, twitter and searches. 9-32 block out search engines, maybe to prevent stuff like Googlebot detecting the malware. The LNr env variable set on 39 acts as a primitive switch jumptable for the "cases" in 42-161... which redirect the browser using HTTP 302 Temporary Redirect to various subelements on cavadini.savedalyfield.com.

    • stordoff 12 years ago
      > Lines 4-8 make the whole stuff only match on people redirected to the hacked site by facebook, twitter and searches.

      I believe this is to extend the time before the site owner realises that the site has been compromised. They are less likely to visit via Facebook/Twitter/Search engines, so just see the normal site, even if most of their users get the compromised site.

    • dwj 12 years ago
      I think the customer got hacked some other way, and the hacker just wrote to the .htaccess file AFTER hacking the site. Probably the .htaccess is a quick and easy way of taking over the website.
      • zorlem 12 years ago
        A customer of mine had practically the same .htaccess file installed through an exploit in a custom PHP software he had written. The difference was with the URL it was pointing to, in my case it was battocletti.theroguedisc.com . The .htaccess was installed on 2012-11-21, but by the time the customer asked for my help cleaning up, the domain was no longer available.