msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Keygenguru .com Hack in Search Results

   04 Aug 10   Filed in Website exploits

Last year I wrote about two elaborate server-wide hacks that hijacked web server (Apache) processes and intermittently served malicious content instead of requested legitimate web pages.

A year later, every now and then I still see servers affected by this sort of hack. I easily recognize recent modification of this attack when I see links to keygenguru .com in Unmask Parasites reports. Those modifications are slightly different from what I described in my goscanpark article. This time not only do the malicious processes serve JavaScript redirect code but also provide some HTML with links to pirated software and movies. This HTML code gets indexed by search engines which helps hackers promote their illegal resources.

Side effect

A side effect of this “black-hat SEO modification” is when people search for domain names of affected sites, they see something like this in search results:

crack download
serial key · serial number 249.211.87.154 Watch Avatar movie online … download movies · online movies. 51.239.154.87 … avira serial. 240.30.80.59 …
www.their-site-address.com/

The link address is correct, the title may be either correct or something like keygen, serial key, crack download, online movies, etc., and the result description is always a mix of warez keywords and random IP-addresses.

This side effect can help reveal the problem to webmasters. They see that Google has indexed erroneous content for some reason but they can neither find it on their site nor detect any other signs of a hack. No wonder, this attack works intermittently when hackers activate it — maybe several hours per week for random requests. Moreover, it’s a server-wide exploit and any individual user account on such a server is technically not hacked. That’s why it is very difficult to detect it even for experienced server administrators.

Prevalence estimates

To estimate the prevalence of this infection I used the following Google search:

“serial key” “online movies” “avira serial”

It returned 3,100 results. About 97% of them pointed to sites affected by this hacker attack. Their cached versions show that Google had indexed them in this June and July. (Warning: Don’t open the cached pages in your browser – they still contain malicious JavaScripts)

When I downloaded them, I could extract 300 unique domain names from 185 unique IP addresses from all over the world. Most of the IPs belong to shared servers with hundreds of sites. This means that there are currently about 20,000+ potentially affected websites.

I use the word potentially because this attack is not always active. At any given moment, only a small percentage of compromised servers exhibit malicious behavior. As outside observers we can only guess if the rest servers still contain backdoor scripts that can activate the attack.

185 compromised servers is probably an underestimation. This number only takes into account servers where the malicious processes were active when Googlebot indexed sites on those servers.

Server-wide searches

Using IP addresses of compromised servers I can show that this is really a server-wide infection. Bing search engine allows to narrow down searches to particular IP addresses. For example, here is a search that returns affected sites on server with IP 72.18.142.180

ip:72.18.142.180 serial

Keygenguru

Most of the links from the indexed hacked pages point to keygenguru .com site. It’s a search engine for serial numbers, keygens and other illegal pirate stuff. Its current Google PR is 6. According to Compete.com, 140,000 unique visitors come to this site every month. Its Alexa rank is 7,019 and according to Alexa, 35% of its visitors come from search engines, which is about 50,000 visitors every month. Again, according to Alexa, the most popular search keywords are the ones that we can see on the indexed hacked pages.

Of course, there are many “legitimate” (if we can call them so) links to keygenguru from warez sites and forums, so some part of its search ranking is “deserved”. However, even if we don’t pay attention to the legitimacy of the site’s content, I suggest that search engines take a closer look at black hat SEO tricks used by this site — they definitely don’t comply with search engines’ guidelines.

To webmasters

If your site is affected by this hack (you either discover erroneous “serial/keygen” description in your site’s search results or see unexpected keygenguru .com external references along with other “pirate” links in an Unmask Parasites report for your site) — this is a serious problem that only a server administrator with root access can properly resolve. As a site owner/webmaster you can either move your site to another host or notify the server administrator (hosting provider) about the problem and have them read this article and my previous article that contains technical details of the attack and all the information needed to find backdoor scripts and mitigate the issue.

If you are interested in my list of IPs of currently affected servers, you can find it here (it will expire in one month).

Have your say

There is still a lot remains unclear about this attack. Specifically, how this exploit manages to hijack Apache processes and if there is a reliable fix that can close the security hole. If you have any information about this issue, please share it in comments or contact me directly. Thanks!

Related posts:

Reader's Comments (%)

  1. |

    [...] This post was mentioned on Twitter by Denis and Ralf, Ralf. Ralf said: RT @unmaskparasites: [blog] Keygenguru .com Hack in Search Results http://bit.ly/aS7pZ0 – side effect helps detect the hack and estimate … [...]