Wednesday, June 5, 2013

A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess


To be honest, since knowing that most of linux malware are blocking my IP & and my country's access, I changed my strategy to invite and trap them with the honeypot method for a dummy server to let them come and attack. (I think) I was preparing it good.. but after some time without anything happened I was thinking this strategy wasn't working well AAND...! Today by swatch script poke me with email for having a visitor. Checking the site to know it was actually visited two times but it looks like I did not get alert for the first one for I forgot to activate swatch into cron :-(

Code Injection in web contents and .htaccess

Shortly, this visitor is not friendly, he changed the root's index pages and fake javascript files into the ones with the obfuscated injected codes as per below:

With we can decode it easily into this:

It is the code of redirection using the special condition of cookies. This cookie will determine conditions to trigger a prepared action in the redirection destination php page (which at this moment only God knows what).

Moving along.. Seeing the decoded code result reminding me of the recent Darkleech poking script in their injected sites. So with the grateful feeling to this visitor I was seeking further I found the .htaccess with the below code:

At this time I feel sad to face the fact that this is only a common hacking method (honestly, I expected cooler stuffs like the latest Darkleech or RedKits or maybe cDorked..sigh!) of using mod_rewrite.c for the site's redirection. The mod_rewrite is an Apache module that allows the seamless (to the client) redirection of files, reference -->>[APACHE.ORG]. Where the mod_rewrite.c's RewriteEngine which is turned off in the most Apache web server's default setting, was switched ON and adding RewriteCond command to make condition to redirect the separated piped delimitered keywords HTTP request to the specific file/site/url mentioned above.

This "incident" is actually using a common usage of mod_rewrite.c by most webapp programmer to redirect all get request to index.php if the requested file of dir does not exists, with the format below:

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
Hacker moronz are mostly using mod_rewrite.c with the below format for evil redirection:
   RewriteCond %{HTTP_USER_AGENT} (google|yahoo|bing|keyword-eetc1|keyword-eetc2) [OR]
   RewriteCond %{HTTP_REFERER} (google|yahoo|bing|keyword-etc1|keyword-eetc2)
   RewriteCond %{REQUEST_URI} /$ [OR]
   RewriteCond %{REQUEST_FILENAME} (html|htm|php|cgi|)$ [NC]
   RewriteCond FILENAME-TO-HANDLE-REQUEST.(php|cgi) -f
   RewriteRule ^.*$ /FILENAME-TO-HANDLE-REQUEST.(php|cgi) [L]

Attack Source IP

The log shows the IP access source of the attacker:
The GeoIP shows these location:

FTP logs of the attack - An Automation Trace

All of the access by this moronz visitor is through the FTP event log as per below, which is the clue in the systematic hacking a web server traces, which is suggested the tools/script usage/involvement:

// EVENT #1:

[2013/06/01 21:46:54]   C="PASS (hidden)" B=- S=530
[2013/06/01 21:46:55] C="USER USERNAME" B=- S=331
[2013/06/01 21:46:55] C="PASS (hidden)" B=- S=230
[2013/06/01 21:46:55] C="SYST" B=- S=215
[2013/06/01 21:46:55] C="LIST /" D= B=211 S=226
[2013/06/01 21:46:56] C="LIST public_html/" D= B=630 S=226
[2013/06/01 21:46:56] C="LIST public_html/data/" D= B=124 S=226
[2013/06/01 21:46:57] C="LIST public_html/images/" D= B=1219 S=226
[2013/06/01 21:46:57] C="STOR public_html//KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:57] C="STOR public_html/cgi-bin/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:58] C="STOR public_html/data/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:58] C="STOR public_html/images/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:58] C="RETR public_html//index.html" F=/public_html/index.html B=10486 S=226 T=0.199
[2013/06/01 21:46:59] C="STOR public_html//index.html" F=- B=- S=- T=-
[2013/06/01 21:46:59] C="RETR public_html/index.html" F=- B=- S=550 T=-
[2013/06/01 21:47:00] C="RETR public_html/index.html-1" F=/public_html/index.html-1 B=7484 S=226 T=0.189
[2013/06/01 21:47:00] C="STOR public_html/index.html-1" F=- B=- S=- T=-
[2013/06/01 21:47:00] C="RETR public_html/TRAP.JS" F=/public_html/TRAP.JS B=2586 S=226 T=0.113
[2013/06/01 21:47:00] C="STOR public_html/TRAP.JS" F=- B=- S=- T=-
[2013/06/01 21:47:01] C="RETR public_html/TRAP.JS" F=/public_html/TRAP.JS B=2323 S=226 T=0.117
[2013/06/01 21:47:01] C="STOR public_html/TRAP.JS" F=- B=- S=- T=-
[2013/06/01 21:47:02] C="RETR public_html/data/.htaccess" F=/public_html/data/.htaccess B=125 S=226 T=0.141
[2013/06/01 21:47:02] C="STOR public_html/data/.htaccess" F=- B=- S=- T=-

// EVENT #2:

[2013/06/04 11:53:05] C="USER USERNAME" B=- S=331
[2013/06/04 11:53:05] C="PASS (hidden)" B=- S=230
[2013/06/04 11:53:05] C="SYST" B=- S=215
[2013/06/04 11:53:05] C="PASS (hidden)" B=- S=530
[2013/06/04 11:53:06] C="LIST public_html/" D= B=562 S=226
[2013/06/04 11:53:07] C="STOR public_html//X9W7N2fm.gif" F=/public_html/X9W7N2fm.gif B=10 S=226 T=0.159
[2013/06/04 11:53:24] C="DELE public_html//X9W7N2fm.gif" F=/public_html/X9W7N2fm.gif B=10 S=250 T=-
[2013/06/04 11:53:24] C="STOR public_html/cgi-bin/X9W7N2fm.gif" F=/public_html/cgi-bin/X9W7N2fm.gif B=0 S=226 T=0.138
[2013/06/04 11:53:41] C="DELE public_html/cgi-bin/X9W7N2fm.gif" F=/public_html/cgi-bin/X9W7N2fm.gif B=0 S=250 T=-
[2013/06/04 11:53:41] C="STOR public_html/data/X9W7N2fm.gif" F=/public_html/data/X9W7N2fm.gif B=0 S=226 T=0.153
[2013/06/04 11:53:58] C="DELE public_html/data/X9W7N2fm.gif" F=/public_html/data/X9W7N2fm.gif B=0 S=250 T=-
[2013/06/04 11:53:58] C="STOR public_html/images/X9W7N2fm.gif" F=/public_html/images/X9W7N2fm.gif B=0 S=226 T=0.132
[2013/06/04 11:54:15] C="DELE public_html/images/X9W7N2fm.gif" F=/public_html/images/X9W7N2fm.gif B=0 S=250 T=-
[2013/06/04 11:54:16] C="STOR public_html//index.html" F=/public_html/index.html B=15011 S=226 T=0.363
[2013/06/04 11:54:17] C="RETR public_html/index.html" F=/public_html/index.html B=15011 S=226 T=0.363
[2013/06/04 11:54:17] C="STOR public_html/TRAP.JS" F=/public_html/TRAP.JS B=6906 S=226 T=0.235
[2013/06/04 11:54:18] C="STOR public_html/TRAP.JS" F=/public_html/TRAP.JS B=6711 S=226 T=0.234
[2013/06/04 11:54:19] C="STOR public_html/data/.htaccess" F=/public_html/data/.htaccess B=1821 S=226 T=0.161

Cookie and Redirection to cnt.php

The redirection URL is an interesting story, upon a direct access you'll get the "ok" data as per below:

--2013-06-05 03:26:36--  h00p://
Resolving seconds 0.00,
Caching =>
Connecting to||:80... seconds 0.00, connected.
GET /cnt.php HTTP/1.0
User-Agent: MalwareMustDie Ranted: Thou Salt Not Do (stupid) Hack!
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Tue, 04 Jun 2013 18:26:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html
200 OK
Length: unspecified [text/html]
Saving to: `cnt.php'
2013-06-05 03:26:37 (21.3 KB/s) - `cnt.php' saved

$ cat cnt.php
By the browser we'll see:

It doesn't show nothing else but the "ok" at this point, but actually no one would like to hack for just redirecting your site into an "ok" wouldn't we? Thank's to Amanda Pessi for the idea about cookie used-->>See comment part

Redirection Target's IP Reputation

The IP reputation is not so good, recorded badly to be used by the below "suspected" domains:
With the below PoC:
[1] [2] [3] [4]

The domain information used is suggesting a hacked domains, for the info's:

Domain Name: 52WEEKSNC.COM
Registrar: 1 & 1 INTERNET AG
Whois Server:
Referral URL:
Name Server: NS51.1AND1.COM
Name Server: NS52.1AND1.COM
Status: ok
Updated Date: 09-jul-2012
Creation Date: 09-jul-2012
Expiration Date: 09-jul-2013

created:                         09-Jul-2012
last-changed:                    09-Jul-2012
registration-expiration:         09-Jul-2013
status:                          CLIENT-TRANSFER-PROHIBITED

registrant-firstname:            Oneandone
registrant-lastname:             Private Registration
registrant-organization:         1&1 Internet, Inc. -
registrant-street1:              701 Lee Road, Suite 300
registrant-street2:              ATTN:
registrant-pcode:                19087
registrant-state:                PA
registrant-city:                 Chesterbrook
registrant-ccode:                US
registrant-phone:                +1.8772064254

AntiVirus Detection

Below is the scanning for detection ratio of the each samples via Virus Total:

1. Malicious Injected .htaccess:

SHA1: c1925dcc1dc47b70bc62598d0c51312c5a256fa5
MD5: 5c65e586af2db49d7b93a1197734e82f
File size: 1.8 KB ( 1830 bytes )
File name: .htaccess
File type: Text
Tags: text
Detection ratio: 0 / 46
Analysis date: 2013-06-05 10:48:49 UTC ( 5 minutes ago )
Looks like there is no product can detect the injected .htaccess, detection ratio is zero.

2. Injected Code (in Obfuscation)

SHA256: 8fa82809fb7f7c346188740cc71c86efa9419b536923159be39ad91f011f6c98
SHA1: 9f39f4875427ea3ec2b22182b8d34d5bf3c5574d
MD5: 95cfe5fc34b10272e9408517336b4cd3
File size: 4.3 KB ( 4389 bytes )
File name: obfuscation-redir-code.txt
File type: Text
Tags: text
Detection ratio: 16 / 47
Analysis date: 2013-06-05 10:49:08 UTC ( 7 minutes ago )

F-Secure                 : JS:Trojan.Crypt.MT
Microsoft                : Trojan:JS/BlacoleRef.DH
AntiVir                  : JS/BlacoleRef.CZ.20
Norman                   : Redirector.JX
McAfee-GW-Edition        : JS/
Avast                    : JS:Redirector-AOW [Trj]
nProtect                 : JS:Trojan.Crypt.MT
CAT-QuickHeal            : JS/BlacoleRef.CZB
Kaspersky                : Trojan.JS.Iframe.aen
BitDefender              : JS:Trojan.Crypt.MT
NANO-Antivirus           : Trojan.Script.Expack.brblya
McAfee                   : JS/
Fortinet                 : HTML/IFrame.AHQ!tr.dldr
GData                    : JS:Trojan.Crypt.MT
Emsisoft                 : JS:Trojan.Crypt.MT (B)
Comodo                   : Exploit.JS.Blacole.CW
This sample's detection ratio, is not bad, but too bad that ClamAV, Sophos & Symantec can't detect it.. some of unix system I know are using them..

3. Injected Code (The Decode Version)

SHA256: 2b09050a02f996fc5dd9203a289ce60b41a885877da1edbdc36c2f3a4a36b631
SHA1: 35945fd0667a21b94f8a7e4cb0763a588de1c9bd
MD5: ce012905dc63ef14b619cdef98157949
File size: 1.3 KB ( 1338 bytes )
File name: decoded-redir-code.txt
File type: Text
Tags: text
Detection ratio: 10 / 47
Analysis date: 2013-06-05 10:49:26 UTC ( 10 minutes ago )

F-Prot                   : JS/IFrame.RS.gen
AntiVir                  : HTML/ExpKit.Gen3
Avast                    : JS:Iframe-AHW [Trj]
GData                    : JS:Iframe-AHW
Kaspersky                : HEUR:Trojan.Script.Generic
NANO-Antivirus           : Trojan.Script.Iframe.bopaxv
Fortinet                 : JS/Iframe.DCV!tr.dldr
Commtouch                : JS/IFrame.RS.gen
K7AntiVirus              : Riskware
AVG                      : HTML/Framer
This sample's detection ratio is only 10. Surprisingly the plain decoded version of the obfuscated injection code can not be detected by 6 products that could detect them previously, the reason is obvious, detection ratio described above are signature base only. That's it for VT, let's check/scan it by the beloved rkhunter...

Grabbed the latest version & updated the database..

$ date
Wed Jun  5 20:20:37 JST 2013

$ sudo /usr/local/bin/rkhunter --update
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
Put the injection code & .htaccess files in the path to be scanned by rkhunter and runs it:
Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Not found ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Not found ]
       [...]                                                     [...]
    Trojanit Kit                                             [ Not found ]
    Turtle Rootkit                                           [ Not found ]
    Tuxtendo Rootkit                                         [ Not found ]
    URK Rootkit                                              [ Not found ]
    Vampire Rootkit                                          [ Not found ]
    VcKit Rootkit                                            [ Not found ]
    Volc Rootkit                                             [ Not found ]
    Xzibit Rootkit                                           [ Not found ]
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Not found ]
Performing additional rootkit checks
    Checking for possible rootkit files and directories      [ None found ]
       [...]                                                     [...]
Yes, rkhunter cannot detect these threat.

How many more cnt.php threat are in the internet now?

Today our team detected the below redirection of cnt.php:

05.06.13 00:12 - - - Referrer: h00p://
05.06.13 00:14 - - - Referrer: 
05.06.13 00:17 - - - Referrer: h00p://
05.06.13 00:23 - - - Referrer: h00p://
05.06.13 00:28 - - - Referrer: h00p://
05.06.13 00:48 - - - Referrer: h00p://
05.06.13 01:21 - - - Referrer: h00p://
05.06.13 02:00 - - - Referrer: h00p://
05.06.13 02:02 - - - Referrer: h00p://
05.06.13 02:12 - - - Referrer: h00p://
05.06.13 02:15 - - - Referrer: h00p://
05.06.13 02:38 - - - Referrer: h00p://
05.06.13 03:21 - - - Referrer: 
05.06.13 03:24 - - - Referrer: h00p://
05.06.13 03:25 - - - Referrer: h00p://
05.06.13 04:00 - - - Referrer: 
05.06.13 04:02 - - - Referrer: 
05.06.13 04:14 - - - Referrer: h00p://
05.06.13 04:27 - - - Referrer: h00p://
05.06.13 04:34 - - - Referrer: h00p://
05.06.13 04:36 - - - Referrer: h00p://
05.06.13 04:50 - - - Referrer: h00p://
05.06.13 05:03 - - - Referrer: h00p://
05.06.13 05:06 - - - Referrer: h00p://
05.06.13 05:09 - - - Referrer: h00p://
05.06.13 05:26 - - - Referrer: h00p://
The overall redirection of cnt.php logged is a bit big, so please see it in this pastebin here-->>[Pastebin] (Big thank's to @Set_Abominae for the sorts). The name itself "cnt.php" is faking the good counter filename commonly used in PHP programming, suspected set to avoid the tracing purpose. So dorking the sites with "cnt.php" in Google will br resulted into a huge False Positive.


So if you read this post and you can enlighten us with the cookies and cnt.php matter (we know pretty well about mod_rewrite.c redirection matter, thank you) please poke me in twitter or write the comment. This case is not new and happened a lot in our beloved internet, Sucuri Labs has a good database on these injection & redirection, the link is here-->>[Google Dork]. In addition, if you happens to be infected/injected, Alex (Aliaksandr Hartsuyeu) of is writing a good tutorial on "Malicious Redirects - Common Fixing Guide v1" here-->>[]

Furthermore, I really hope to be visited by the other "visitor" next time, so stay tuned! :-)

PS: really feels GOOD to hear a moronz cried after I posted this. :D



  1. It almost looks like the cookie is to make sure that the user doesn't hit an exploit-pack, which is what I would assume the "ok" is a placeholder for.

    1. Doesn't hit the exploit-pack more than once I should say.

    2. Thank you very much for the good idea. I thought about that for a while.
      In the other cases, like Darkleech / other redirection infected sites I saw Exploit Kit url together with the cnt.php which makes your explanation fits to every senses.

      However in this case we have only one same cnt.php as redirection target in both injected .htaccess & obfuscation code in html/.js file which leads to a same cnt.php.
      My best thought so far is a missing in injection data from the "visitor" itself.

      What do you think?

    3. The cookie is set to determine if to inject the iframe or not. One thing I'm curious about though is if the injected link's webserver is checking for the cookie to determine whether or not to delivery a payload/exploit (to avoid automated crawlers etc that won't have the cookie unless they land there via the injected link on a separate page).

      When you went to the link & got the "ok" dummy page was that direct or via an injected page? (ie. did you have the cookie when you went to that link?)

    4. > The cookie is set to determine if to inject the iframe or not.

      > One thing I'm curious about though is if the injected link's webserver
      > is checking for the cookie..
      No sign of checking it anywhere, at least in the code base.

      > When you went to the link & got the "ok" dummy page was that direct or..
      Both ways, even use urlquery and fake referer to be sure too, like: here.

      In additional, the cnt.php was removed on the destination target --> urlquery.
      Really eager to know what code is written inside of it, anyone got sample?
      Kindly a share pls?

  2. Eventhough we bypassed cookie check from "/cnt.php" ,the redirected page is again checking cookie,shows custom "404" error

    1. That... I didn't test! :-) Thank you for the information. So at this point we know that the cookie was checked. Let's see if we can grab the cnt.php & see the codes.

  3. That looks kind of like one of the sources I saw in once of the underground sites today.

    1. Thank you for th ekindly info. If you please be kindly to DM @malwaremustdie in twitter we can exchange communication about that underground sites? We need to know this source to mitigate the similar attack for the future purpose.

  4. In case I study, javascript files were changed with code provided and cnt.php was placed on the same server. This server's javascript files point to another's cnt.php, so I imagine that some other's point to this (or attacker just pings to it). It responds with "ok", but in fact the PHP script inside makes request to some ad server and "clicks" the ad inside. I don't know, why it isn't just pinging to it's own cnt.php, but that's how it works in this case.

    1. Very good, very good thought.
      Yes. We will never know what is in that "evil" cnt.php unless we see its codes ourself. :-)

  5. There are many files like cnt.php up there,
    with these filename regex (so far):

  6. Just handling cases locally, reference is here, sorry is in Japanese but just jump straight to the codes/screenshot. Those infected page are mostly redirected to CNT.PHP'S like urls, which replies in OK or so.

    I took the cookie code see the time frame in each cookie made and realised a new theory: that the infection doesn't have to happen immediately, depends on the bad guys' plan. The cookie will be saved in one's PC and when the RIGHT timing came, when the user happened to sire-visit the site, and at that time that site is open for infection then it will be a HIT. Theoretically this can be worked, need to proof this concept. Any idea?

  7. Made a simple PoC of infection here -->>[HERE]