How Malware Can Abuse the .htaccess File
You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a target for bad actors. In this article, we’ll point out cases and indicators of compromise that affect this file.
Malicious redirects
Attackers can setup redirects on the .htaccess files that will redirect visitors based on specific conditions. The final destination can be a website containing other malicious content, spam, phishing campains, or other types of scam.
Those redirects will rely on the function RewriteRule and will sometimes be preceeded by the conditions set by RewriteCond, just as a default .htaccess file would do. This can make spotting those bad codes hard for users that aren’t familiar with the website’s configuration.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ hxxp://celeirodoalgarvio[.]com/azzf.html?h=717013 [L,R]
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^([A-Za-z0-9-]+).txt$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
RewriteRule ^([A-Za-z0-9-]+).htm$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
</IfModule>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} “iPhone|android”[NC]
RewriteRule ^(.*)$ hxxp://176[.]102[.]34[.]137/safezone [L,R=302]
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ default.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC]
RewriteCond %{HTTP_REFERER} (bing|google|yahoo|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]