msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Using Wget to Detect Hijacked Search Engine Traffic

   07 Apr 09   Filed in Tips and Tricks

Some time ago I had a series of post about the .htaccess exploit that redirected search engine traffic to bogus Antivirus sites.

This sort of exploit is still very wide-spread. Many site owners wonder why Google blacklists their sites when their web pages are absolutely benign and sites mentioned on Google’s Safe Browsing Diagnostic pages have absolutely nothing to do with their site’s content.

Here is an excerpt from a typical Safe Browsing Diagnostic page for an affected site:

Malicious software is hosted on 5 domain(s), including best-antimalware-pro-scan .com/, fastantimalwareproscanner .com/, fullantispywareproscan .com/.

4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including module-antispyware .info/, securedradiostation .cn/, great-antispyware .info/.

When I see multiple antivirus-related domain names in the diagnostics, I almost sure the site has a hacked .htaccess file that redirects search engine traffic to scam sites. Still I need to verify my guess.

Detection

The easiest way is to use a web browser. Just go to Yahoo and search for the domain name. Then click on the site’s search results. (You can’t use Google because it won’t let you click through the blacklisted links.) If the assumption about the .htaccess hack is correct, you will land on some bogus antivirus site or on a porn site.

While this detection technique works well, it’s not desirable to use it in real life. It is very unsafe. You expose your own system to unnecessary threats browsing the malicious sites.

Unmask Parasites used to be the safest and the easiest way to detect malicious redirects. Unfortunately the current modification of this exploit is poorly detected by Unmask Parasites (I’m working on the update) so I’ll show how to use another free tool called wget.

Wget

Wget is a free command-line tool that retrieves files using HTTP(S) and FTP protocols. If you are on Linux or Mac, you should already have it. If you are on Windows – download wget here.

I’m using wget because:

  • It’s safe. It doesn’t execute any code, it just downloads files.
  • It can be configured to simulate almost everything normal browsers can do. We’ll configure it to pretend to be referred from Google.
  • It follows redirects.
  • It logs everything so we can see what’s going on behind the scenes.
  • It’s free and easy to use.

Here is the wget command that you can use to reveal hijacked search engine traffic:

wget --referer=http://google.com "http://www.example.com/"

This command downloads a web page from www.example.com (replace it with your own site address).

The --referer option sets the Referer header in a HTTP request. It makes the www.example.com web server think that a user clicked on a link on the referer site to get to the www.example.com site. In our case we use --referer=http://google.com to simulate a click on a Google’s search result. Alternatively you can use --referer=http://yahoo.com to simulate a click on a Yahoo’s search result.

If this request gets redirected, you will see responses (301 or 302) with new locations in the command log.

Here is a sample wget log of one hacked site (I replaced its address with www.example.com):

>wget --referer=http://google.com "http://www.example.com/"
--01:47:54-- http://www.example.com/
=> `index.html'
Resolving www.example.com... done.
Connecting to www.example.com[216.193.xxx.xx]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://spyware-software .info/0/go.php?sid=2 [following]
--01:47:55-- http://spyware-software .info/0/go.php?sid=2
=> `go.php@sid=2'
Resolving spyware-software .info... done.
Connecting to spyware-software .info[195.245.119.150]:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://tubeloyaln .com/scan/?id=260 [following]
--01:47:55-- http://tubeloyaln .com/scan/?id=260
=> `index.html@id=260.1'
Resolving tubeloyaln .com... done.
Connecting to tubeloyaln .com[92.38.0.41]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 15,987 8.86K/s
01:47:58 (8.86 KB/s) - `index.html@id=260.1' saved [15987]

You can see a chain of 302 redirects here: www.example.com -> spyware-software .info -> tubeloyaln .com

The names of the malicious sites used in this chain change almost every day, so most likely you’ll see the sites that doesn’t match the sites mentioned on the Google’s diagnostic page. Still the domain names are very similar: e.g. spyware-software .info vs. module-antispyware .info

In this example, instead of the home page of www.example.com wget downloaded a fake “My computer Online Scan” scam page from the tubeloyaln .com. If you remove the --referer option from the wget command, you’ll get no redirects and the real home page of the www.example.com site will be downloaded.

If you detect the malicious redirects, check this article to find out how to resolve the issue.

Hope this little trick will save your time.

Similar posts:

Comments are closed.