Is YOUR site INFECTED by the Yahoo Counter or .htaccess

Posted: January 11, 2009 in IX Web Hosting
Tags: , , , , , , , , , , , ,

A lot of people are contacting me, asking HOW you would know if your  site is infected?.
Let me start by saying that in some cases you will know immidiately when somthing is wrong, but in other cases it might not be too clear.


Click Image to Enlarge

is an iFrame Javascript injection that injects code into the Footer, Body, or Header, or all three at once.
Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines.
To check if you have the Yahoo Counter injected, visit any search engine, and visit your site, If your site loads as it should, BUT  it still shows “Loading” in the taskbar for some time, and then in most cases ( but not always) an ” Acrobat Reader” Error message will pop up.

Now you must Check the “Source Code” ( Menu Bar –> View –> Source ) and you will notice the Code that has been injected.


The .htaccess Injection

This is a very sneaky Injection, the reason being, is because most people that have and check their websites, access them by either a shortcut, or directly through the search bar by using the url, In both these cases, your website will be perfectly normal, BUT, anyone trying to access your website  through any of the mayor Search Engines, will be re-directed.



Click Images to Enlarge


Once that is done, a FAKE ANTI VIRUS will pop up, and start scanning your PC, it will then alert you that you have dangerous files on your PC, and if they should be removed, if you click YES, you are screwed!!, a Trojan with KeyLogger will be executed on your PC, and you are INFECTED!!…

Anyone who has the FAKE ANTI VIRUS pop up, should just click off the site NEVER click “Yes” or “No”.. just click OFF the page , if your PC freezes, use “Ctrl-Alt-Delete” and Stop the process… then out of precaution you can “Delete” your cached internet files.

An example of the injected .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* h**p:// [R,L] ( link altered by ME )

Remember, you only get re-directed if you click on your url from a search engine

  1. StudioPhi says:

    We can only confirm all the threats and damages that have been illustrated on this site.
    So much for the “new” economy… all boils down to crowdourcing + third world outsourcing + price gouging.
    Real stuff costs real money, at the end of the day.
    So there goes one of the first basic tenets of the E-conomy: everything will be affordable.
    Sure – but who needs affordable *crap* ?


  2. Raza says:

    i have remove the file .htacess..
    but is there any way we can avoid this in future?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s