One of my friends saw a problem on a web site, thought I would post some of the things I learned through our private correspondence.
Contributing factors
This exploit can be avoided, but it pays to have a web hosting provider that stays on top of things and makes it easy for clients to keep their software upgraded. Unfortunately some of the “big names” are not the most reliable, so do your research well instead of just choosing brand names that sound familiar.
Something else that exacerbates the situation is that other than “certification” by the same companies that mass market flawed software (and charge plenty for the software license, training, and certification) there are no real standards for web developers nor computer consulting in general. We are in the equivalent of the situation with pharmaceutical sales before the FDA was created. Anyone can claim to be an expert to sell their particular brand of snake oil. I actually have programming, database administration, and server administration experience. I have been through the bitter experience of being “beaten out” by people who charged plenty and didn’t even know how to configure a popular FTP client program to use SFTP (secure) transfers. They never really delivered on many of their promises. This is especially bad when non-profit organizations are involved. Donor money going to reward bad behavior is an example of a very poor feedback mechanism in our market economy. Small government advocates and Tea Party supporters take note.
Reporting
I talked to an officer at the local state police barracks who confirmed that this was indeed a case of computer crime. The site owners were in the process of taking online registrations for workshop participants, so probably took a monetary hit.
If something like this happens you should file a report with your local State Police (for USA) or go through the proper channels for wherever you live. Goes without saying that you or your “professional web designer/developer” need to repair the .htaccess file and remove any scripts used in delivery of malware. Your web hosting provider should be able to provide technical support as well.
The exploit
The site in which my friend identified the problem had a “corrupted” .htaccess file that sent traffic from search engines to a second site (also in USA). That site had a PHP script hidden in a subdirectory that contained images to connect to the malware server in the Middle East — three different servers in two countries.
Other delivery mechanisms
On another friend’s site last week I saw an attempt to deliver this same malware package through an email message delivered through their contact form. The message contained a link to a news story on a major network site. You can often avoid trouble by using plain text format for all your email messages. In this case it would have not helped though, when I checked the source the URL was to the site it claimed to be. Someone had managed to get a script onto their server.
Read more
Here are some links I found which I thought explain well how the .htaccess exploit works:
http://www.provos.org/index.php?/archives/55-Using-htaccess-To-Distribute-Malware.html
http://blog.javacoolsoftware.com/2008/12/anti-virus-2009-search-engine-redirect-hacks/
