A side effect of this “black-hat SEO modification” is when people search for domain names of affected sites, they see something like this in search results:
serial key · serial number 249.211.87.154 Watch Avatar movie online … download movies · online movies. 18.104.22.168 … avira serial. 240.30.80.59 …
The link address is correct, the title may be either correct or something like keygen, serial key, crack download, online movies, etc., and the result description is always a mix of warez keywords and random IP-addresses.
This side effect can help reveal the problem to webmasters. They see that Google has indexed erroneous content for some reason but they can neither find it on their site nor detect any other signs of a hack. No wonder, this attack works intermittently when hackers activate it — maybe several hours per week for random requests. Moreover, it’s a server-wide exploit and any individual user account on such a server is technically not hacked. That’s why it is very difficult to detect it even for experienced server administrators.
To estimate the prevalence of this infection I used the following Google search:
When I downloaded them, I could extract 300 unique domain names from 185 unique IP addresses from all over the world. Most of the IPs belong to shared servers with hundreds of sites. This means that there are currently about 20,000+ potentially affected websites.
I use the word potentially because this attack is not always active. At any given moment, only a small percentage of compromised servers exhibit malicious behavior. As outside observers we can only guess if the rest servers still contain backdoor scripts that can activate the attack.
185 compromised servers is probably an underestimation. This number only takes into account servers where the malicious processes were active when Googlebot indexed sites on those servers.
Using IP addresses of compromised servers I can show that this is really a server-wide infection. Bing search engine allows to narrow down searches to particular IP addresses. For example, here is a search that returns affected sites on server with IP 22.214.171.124
Most of the links from the indexed hacked pages point to keygenguru .com site. It’s a search engine for serial numbers, keygens and other illegal pirate stuff. Its current Google PR is 6. According to Compete.com, 140,000 unique visitors come to this site every month. Its Alexa rank is 7,019 and according to Alexa, 35% of its visitors come from search engines, which is about 50,000 visitors every month. Again, according to Alexa, the most popular search keywords are the ones that we can see on the indexed hacked pages.
Of course, there are many “legitimate” (if we can call them so) links to keygenguru from warez sites and forums, so some part of its search ranking is “deserved”. However, even if we don’t pay attention to the legitimacy of the site’s content, I suggest that search engines take a closer look at black hat SEO tricks used by this site — they definitely don’t comply with search engines’ guidelines.
If your site is affected by this hack (you either discover erroneous “serial/keygen” description in your site’s search results or see unexpected keygenguru .com external references along with other “pirate” links in an Unmask Parasites report for your site) — this is a serious problem that only a server administrator with root access can properly resolve. As a site owner/webmaster you can either move your site to another host or notify the server administrator (hosting provider) about the problem and have them read this article and my previous article that contains technical details of the attack and all the information needed to find backdoor scripts and mitigate the issue.
If you are interested in my list of IPs of currently affected servers, you can find it here (it will expire in one month).
There is still a lot remains unclear about this attack. Specifically, how this exploit manages to hijack Apache processes and if there is a reliable fix that can close the security hole. If you have any information about this issue, please share it in comments or contact me directly. Thanks!