0

I'm cleaning up a webhosting server of a client and found a really strange htaccess file in the root.

RewriteEngine On



RewriteCond %{ENV:REDIRECT_STATUS} 200

RewriteRule ^ - [L]

RewriteCond %{HTTP_USER_AGENT} (yahoo|msn|bing|google|aol|duckduck) [OR]

RewriteCond %{HTTP_REFERER} (yahoo|msn|bing|google|aol|duckduck)

RewriteRule ^.*$ /kmdxdnw.php [L]

Wouldn't the RewriteRule ^ - [L] already stop the execution of the last line?

Even stranger might be the fact this "/kmdxdnw.php" is part of 3 or 4 completely obfuscated PHP files in really strange format. Obviously not for minifying code. My guess was it was planted there as support for some framework. But it's completely garbled and unrecognizable. I just don't really want to break anything =)

Marten
  • 661
  • 6
  • 9
  • That rule only does its thing, if the preceeding RewriteCond yielded true. (https://stackoverflow.com/a/20930010/1427878) – CBroe May 12 '20 at 06:29
  • 1
    _“My guess was it was planted there as support for some framework.”_ - my guess would rather be, that it is probably a _hack_. With the user agents and referrers, it is clearly targeting search engines bots, and people arriving at the site from the respective SERPs - so this is probably used to show different content in those cases, than the site normally would. – CBroe May 12 '20 at 06:31

0 Answers0