lucy24 - 9:23 pm on Jan 14, 2013 (gmt 0)

Going back to the original post: Did the hackers replace the original htaccess file, or edit it, leaving some of the original text? For present purposes, editing is worse, because it probably calls for a higher level of access.

I never bothered to look at the rules quoted. They seem to be exactly the same, right down to repeating two lines that don't need to be repeated (RewriteBase and RewriteEngine).

RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]

The first Condition does nothing on its own beyond saying that there has to be a referer; its real purpose is to create a capture that will be used by the second Condition. The [w.]* element in both conditions is a clunky way of saying "ignore the leading www. if there is one". It would also, of course, make mincemeat of any domain whose name happens to start with one or more w's. Like... er... ahem... cough-cough...

Apparently the author doesn't know about non-capturing groups-- but does know the \1 construction. I would never have thought of using this in mod_rewrite-- first because frankly it never occurred to me ;) and second because I didn't know you could use it. (Can you? If no one knows for 100% sure I'll have to figure out a test rule.)

The second condition means
{the present site}/{NAME-OF-REFERER} is not {SOME-RANDOM-TEXT}/{THE-SAME-RANDOM-TEXT}

or possibly
{the present site}/{NAME-OF-REFERER} is not {SOME-RANDOM-TEXT}/{NAME-OF-REFERER}

depending on whether the \1 refers to the capture in the present line (Condition 2) or the capture in the previous line (Condition 1).

Can anyone decode that? I don't know enough to tell if it's really brilliant or really stupid. (I incline toward #2 but DO NOT take my unsupported word on this.)