Google hijackers from crackers; check your HTACCESS

Written by on February 18, 2009 in SEO - 56 Comments

When’s the last time you looked inside your website’s HTACCESS file? It really should become a part of your monthly (ack, weekly? daily?) audit routines. There could be gremlins at play you see…

Ok, here’s the gig, one day a mate comes along as asks me, “You mind Googling Twitter?” and I told him to mind his manners as I didn’t go for that kind of thing. Anyway, obliging him, the mighty Google was consulted and from what I could see, the oracle of the ‘Plex was behaving as normal.

Upon pressing for details as to what exactly he is seeing he sends me this;

Gooogle gets hijacked

As you can see the top results are for an Anti-virus website… NOT for Twitter

Being the curious type, I inquired with a few other folks to see what they were seeing. Sure enough, we were all seeing the proper set of results. Fair enough, it sounds like the hull has been compromised and he’s taking on water.

As we backtracked it seems there was a search result that had a peculiar behavior earlier that day. Upon clicking the top result in Google his AV software had done the jig, (although it may have been the Trojan mimicking to gain access).  I went over to the website in question – and nothing.

I then searched the website in Google and clicked on the listing – voila! Sure enough you we’re redirected and a pop-up prompted to do a ‘security scan’ cough cough. This behavior ONLY happened when accessing the site via Google.

 

The HTACCESS Gremlins

What could this be one wondered. Certainly the mighty Goog’ has not fallen pray to wrong doers have they? After all they say they’ve done it before;

Google serves up malware????

 

Naw, that couldn’t be it.

Initial suspicions leaned towards the site being hacked, but the site administrator was as confused as a link baiter on truth serum, no hacks could be found. To be on the safe side, a few of those in the know, information retrievers, were consulted and one specializing in rarefied AIR (adversarial information retrieval) had the answer. Check the HTACCESS file; which was an enlightening journey.

You see kind reader, they had gone in and were redirecting ONLY the traffic from Google which then prompted and had caused the computer to be infected. Then, on subsequent searches they were intercepting it and sending back their own (modified) Google results. The sneaky little buggars.

 

Make it a part of your site audits

You can just imagine the reputation problems that could come from this not to mention its potential for sabotage. While this may not seem like the domain of the SEO, having low search engagement and possibly infecting visitors is sure to have negative effects ultimately. No matter how you look at it, from hacking to put nasty (outbound links) on competitor sites to redirecting incoming SERP requests, this is something SEOs need be aware of.

In the modern world of SEO, close ties with the security and system administrators is key. Everyone needs to be aware of the potential for such attacks and be vigilant. A lot of time and money (into search campaigns) could easily be washed away and replaced with a reputation management problem.

What to watch for - This type of attack is often found when you are using a CMS or WordPress type installation that requires the htaccess to be writable (such as SEF URL creation). To guard against it, be sure to chmod your hataccess so the at it’s not writable until you need to publish something new – then make it writable, create pages and then set it back again.

 

…. Something to consider…

 

About the Author

56 Comments on "Google hijackers from crackers; check your HTACCESS"

  1. Paul Woodhouse February 18, 2009 at 10:45 am · Reply

    Interesting stuff.

    Is the moral of this story to make sure you CHMOD your .htaccess file to 644?

    Or was there something more nefarious at work?

  2. Dave February 18, 2009 at 11:10 am · Reply

    Most certainly… and peeps that are using a CMS or WordPress might want to consider a strategy. These systems often require the htaccess to be writable…

    How they got access to the server in this case, I am unsure, they either didn’t know, or weren’t willing to tell me.

    But ultimately, locking down the htaccess is the prudent course of action most certainly.

  3. Kevin February 21, 2009 at 10:32 pm · Reply

    thanks for that…any brief instructions how to …
    “be sure to chmod your hataccess so the at it’s not writable until you need to publish something new – then make it writable, create pages and then set it back again.”
    Thanks

  4. texxs February 22, 2009 at 7:37 am · Reply

    So it was twitter that was compromised?

    • Dave February 24, 2009 at 8:16 am · Reply

      Now, it wasn’t Twitter, it was the website serving up the Trojan – once it installed it self, it modified popular Google searches… in this case, for Twitter.

  5. Chris Greenman February 22, 2009 at 5:32 pm · Reply

    I find it kinda crummy that there is always someone trying to cheat the system and win. hope we all leanred a lesson from this one I will be sure to check my htaaccess files regularly…

  6. Scott February 24, 2009 at 6:15 am · Reply

    You could also chown your htaccess file so that apache is the owner:

    chown apache path/to/.htaccess

    Then chmod it to 770 (wrx for both owner and group, no world permissions)

    That allows apache (and users with proper access) to write to the file, as well as to read the file, while not giving any other permissions to otherwise outside users/attackers.

    Of course that wouldn’t help if the CMS system (or an extension/plugin for it) were the actual culprit, rather than an outside attacker.

    And don’t forget to back that truck up! (truck being the server in this case) :)

  7. Debbie February 26, 2009 at 7:02 am · Reply

    Wow, this is something that never even crossed my mind. Will definitely be adding it to our future site audits, for our site and for our client sites.

  8. Wink February 27, 2009 at 6:22 pm · Reply

    Wow… very enlightening. Off to check my .htaccess file. Thanks!

  9. Robert March 2, 2009 at 1:31 pm · Reply

    I had a site hacked once. The host said it wasn’t due to some oversight on their part, but sure as you’re born the buggers got in and banged up the place. I always thought security was the host’s responsibility. What happened to me certainly opened my eyes. And now I see, if they can do it to Twitter, they can do it to anybody!

  10. Karl Foxley March 7, 2009 at 1:45 pm · Reply

    Great post! :)

    This has been something I was looking for a solution to and now I have the answer… Thanks

    Regards,

    Karl

  11. Free Ads March 10, 2009 at 7:17 am · Reply

    Wooew.. a huge search engine such Google can be cheated by a Trojan??

  12. Benkyoshin March 17, 2009 at 8:20 pm · Reply

    awesome

  13. HERITAGESVIETNAM March 19, 2009 at 3:54 am · Reply

    Very nice
    thank

  14. Paid Survey Programs March 20, 2009 at 9:11 am · Reply

    thanks for the heads up.is it only involve twitter?

  15. Sid March 23, 2009 at 10:42 am · Reply

    Thanks for enlighting this dint know this at al ..

  16. Akash Acharya April 3, 2009 at 5:23 am · Reply

    You can just imagine the reputation problems that could come from this not to mention its potential for sabotage. While this may not seem like the domain of the SEO, having low search engagement and possibly infecting visitors is sure to have negative effects ultimately. No matter how you look at it, from hacking to put nasty (outbound links) on competitor sites to redirecting incoming SERP requests, this is something SEOs need be aware of.

  17. Hicham April 3, 2009 at 10:19 pm · Reply

    Wow! That’s very important to keep an eye on! Thanks for sharing.

  18. WilliamC April 4, 2009 at 10:10 pm · Reply

    If you are using a virtual hosted account that has many other users on the same machine, this is well needed information for you from David.

    Now the good part, you can chown the file to only your username on ‘most’ virtual hosting solutions and allow it write access by your CMS while not allowing other users to write to it. Take a peek at the unix command chown to learn more.

  19. Mark Jaquith April 7, 2009 at 9:44 pm · Reply

    This type of attack is often found when you are using a CMS or WordPress type installation that requires the htaccess to be writable (such as SEF URL creation).

    WordPress does not require your .htaccess to be writable once you’ve done the initial permalink structure configuration, so it’s safe to make it read-only on established WordPress sites.

  20. Robert M. Cavezza April 10, 2009 at 8:44 am · Reply

    Twitter wasn’t hacked – his computer was hacked through his website. Subsequently, all major (popular) google searches were transferred back to this trojan’s website through his personal computer.

    The Trojan didn’t affect Twitter, it effected his PC and in turn, most Google searches were not correct.

    I’m also curious how you found out that the Trojan affected you through your website. Was there something in the HTACCESS file or did you just assume that was how it got infected because it was writable.

    Best Regards,

    Robert M. Cavezza

  21. Carole Jacoby & Co. Real Estate April 13, 2009 at 12:40 pm · Reply

    Interesting information but can you simplify it for those of us who are not so tech savvy? Example; What is step one, in detail? What is step 2, in detail and so forth?

    Thanks,

  22. mathew April 13, 2009 at 11:49 pm · Reply

    Thank You

  23. Protect Me April 14, 2009 at 11:28 am · Reply

    Thanks for the information. It was helpful and informative.

  24. Kp April 16, 2009 at 9:02 pm · Reply

    You Rock David, thanks for the trickle down.
    peace.

  25. dcphosting services April 17, 2009 at 6:20 pm · Reply

    Ah ha, so that is the why, from time to time when clicking on Google results (labled Green by McAfee Site Advisor), I end up on “bad sites” instead of the intended destination. (Thus far I have never “reached” a bad site because my browsing is stopped by the Google “Safe Browsing” feature.)

    I would never even consider allowing a client’s .htaccess file to be writable. “SEF URL creation” should be done by the CMS and only intrepreted by the .htaccess file.

  26. توبيكات April 20, 2009 at 2:39 am · Reply

    thanxs

  27. توبكات April 20, 2009 at 3:10 am · Reply

    very cool

  28. chonp April 24, 2009 at 6:27 pm · Reply

    very good thank you

  29. Gary May 10, 2009 at 8:10 am · Reply

    hi great articale iam new to this cms thing I use joomla for my church web site could you please tell me in laymens terms how to check my htaccess file and what should be in it to start with
    i only allow
    supervisor level persons to access site
    also what does this mean htaccess file to 644?
    many thanks

  30. Michael May 11, 2009 at 10:33 pm · Reply

    Where is the .htaccess compromised code? Nice story but where’s the data and solution? Disappointing that such a potentially important article is incomplete concerning the most important facts, how the bad guys accessed the .htaccess file and what the hack looked like…

    vbplusme

  31. doug May 29, 2009 at 11:22 pm · Reply

    So I only have to worry about this if I have an Apache server, right? Windows nothing to worry about…not sure, can somebody enlighten – or I guess I can research on google.

  32. bryan June 1, 2009 at 11:22 pm · Reply

    I have had the same issues clicking from top Google search results. I am checking my .htaccess right now. thanks

  33. Bummarketing June 9, 2009 at 2:00 pm · Reply

    Interesting but would love to see an example of what an infected files looks like

  34. Technologian June 9, 2009 at 7:47 pm · Reply

    nice post… very informative… thanks

  35. Inga July 5, 2009 at 2:47 pm · Reply

    hey Daivid!
    Thank you very much for this info, because i am a newbie and my programming skills are almost nothing, but I learn everyday something new:) The other day WP plugin WassUp stats showed me that my blog had hack attempt and I was so nervious, that maybe something happened, but now, after reading your article, I can be a bit calm…just changed chmod in my file manager:)
    Thanks again!
    Inga

  36. ilk sayfa July 17, 2009 at 11:27 am · Reply

    Thanks for your share. Great article for seo and google

  37. Thomas Roman August 3, 2009 at 10:46 am · Reply

    Holy crap! I was wondering what was wrong with my search results, thanks for the info.

  38. What is New August 7, 2009 at 1:43 am · Reply

    well i liked it really good stuff on .htaccess but still i am not clear on it how did it happened..

  39. Rudi August 18, 2009 at 1:51 am · Reply

    What about setting up a cron job to recreate your htaccess file daily or something like that? Any comments on this?

  40. Fania August 19, 2009 at 12:58 pm · Reply

    thanks very much for your posting. Honestly say, I didn’t realize this problem before this, thanks again.

  41. Matthew Bradbry August 21, 2009 at 4:56 pm · Reply

    mmm, I don’t understand? I don’t see any anti-virus software in the snip-it page from Google? -1st result is Twitter what are you doing?, I am clearly missing the plot?

  42. klip izle August 27, 2009 at 6:58 am · Reply

    Wow… very enlightening. Off to check my .htaccess file. Thanks!

  43. Christian August 29, 2009 at 11:41 am · Reply

    So, how are people writing to the files without access?

  44. free cna classes September 24, 2009 at 11:00 am · Reply

    Definitely good post, Im gonna see if I can actually incorporate it now into what I do, thx again.

  45. medical assistant training September 29, 2009 at 2:29 pm · Reply

    Interesting I never thought of that. I have the mozilla firefox safe browsing feature so I tend to stay in good neighborhoods but you make a good point.

  46. Claudia October 22, 2009 at 3:12 am · Reply

    Its really a great post especially for me David.
    thanks for the information!!

  47. mjoh02 October 24, 2009 at 10:21 am · Reply

    Answer to post #31 & £32

    Two ways: you can find the software in hackers forum( SE’ it) or hire a coder/hacker to create the software for you.

  48. Jonas October 24, 2009 at 1:30 pm · Reply

    Thanks, another necessary thing to keep my eyes on.

  49. Todd October 30, 2009 at 8:31 am · Reply

    Do I need to be concerned this could happen on static sites, or only dynamic sites? BTW ~ My computer was displaying similar “correct” google results a while ago, but upon clicking any of them I was transported to various spam-like sites. I have no idea what caused it though…

  50. Rob November 3, 2009 at 8:33 am · Reply

    This concerns me greatly because I’ve seen a lot of questionable results on Google showing dozens of websites that had no content other than the keyword(s) in amongst bible prose. The website titles and content had no relationship to the search term at all.
    When I attempted to visit these sites my browser warned of a virus/trojan.
    I believe Google has since discovered this problem – I warned them dozens of times about these crazy results and now I don’t see them anymore.
    I fear my own website has been “infected” and I’ve lost a huge amount of traffic as a result and probably had the website blacklisted. Somebody told me my sites were blacklisted although I could not find any proof of that. Just very poor visitor numbers despite being near the top of Google
    searches for those key words

  51. Annuity Rates November 30, 2009 at 10:43 am · Reply

    Good post, I never ever check my httaccess file. I will from now on of course.
    Kevin

  52. nanang December 8, 2009 at 7:16 am · Reply

    woow my experience will grow wealthy?

  53. southernwind January 12, 2010 at 2:36 am · Reply

    actually i ever hear about the issue of hijacking on 2009 ago. but never got any clear information about.

    anything can we do against the such issue? anyone here could reveal any breaktrough?

  54. kathleen inman January 14, 2010 at 9:30 am · Reply

    I too am asking if you would give more detail on how to access the info, and what to look for to fix this, please,,,
    thank you for this post.
    thank you kathy

  55. We Have A Story April 17, 2012 at 6:11 am · Reply

    This is something that webmasters should be aware of and should take action before something happens.Good information shared, but it would be more helpful if you write it step by step, and also share what should be done to prevent such attacks.

Leave a Comment

Like this article? Share it!