msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Doorways on Non-default Ports — New Trend in Black Hat SEO?

   03 Dec 10   Filed in Website exploits

A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)

Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.

Regular doorway pages

Usually, when I find hidden or cloaked spammy links on compromised sites, they point to specially-crafted URLs on hacked third-party sites — doorway pages that redirect visitors coming from search engines to landing pages on malicious or illegal sites. To create such doorway page hackers can add URL rewrite rules to server configuration files, or create rogue files and directories somewhere on server. They may even modify existing files so that depending on passed parameters and request headers the server response may vary from legitimate content to spammy pages (for search engine bot) and redirects (for visitors from search engines).

In any of the above cases, hackers have to extend functionality of existing legitimate sites. Such modifications can be detected by diligent webmasters who regularly check site file system for integrity.

New trend

Not so long ago, I noticed a new trend though. Hackers started to create a 100% spammy doorway sites with the same domains as compromised legitimate sites but on different (non-default) ports.

Here’s a screenshot of an Unmask Parasites report that shows spammy links to such doorway sites:

1. non-default port

And here are some Google searches that contain links to doorway pages on non-default sites on first page of search results:

2. buy Windows 7 key

The same approach is used to create doorway pages for sites that sell counterfeit prescription drugs

What are the benefits of this approach?

The trick with non-default ports make doorway pages completely independent from the structure and file system of hijacked sites. This means that:

  1. No need to worry about compatibility with host sites. Doorway pages and redirect rules can’t break anything since they are no longer a part of the hacked site.
  2. A more clean URL structure can be used. No need to hide doorways in subdirectories. No need to use dynamic parameters.
  3. The rogue content can be placed anywhere outside of the host site’s file system (hackers can specify a different DocumentRoot). Webmasters who check website files for integrity won’t be able to detect anything suspicious.
  4. Websites on different ports usually write logs to different files. This means that site administrators won’t see suspicious traffic from Google and other search engines when looking through logs of their sites.

As a result, hackers get a solution that is easier to maintain and reuse. At the same time it is less likely to be detected by owners of compromised sites.

On the other hand this approach has its drawbacks. Hackers need more control over compromised servers. It is not enough just to be able to upload and modify user files. To start a web server on a non-default port one needs either root permissions or poorly configured server with many open ports and world-writable Apache configuration files.

Speculation on PageRank

Doorway sites on non-default ports have the same domain names as hijacked established websites. But they don’t automatically get the same PageRank. For example Google’s toolbar shows PR 0 for home pages on non-default ports when real sites have a high PageRank (e.g. PR 7). This means that Google distinguishes similar URLs with different ports numbers.

However, having the same domain name as an established site seems to be beneficial. This probably adds some authority to doorway pages. At least, they rank quite well.

Some technical details

Here are typical HTTP headers when you request doorway pages on non-default ports:

HTTP/1.1 301 Moved Permanently
Cache-Control no-cache, must-revalidate, private, max-age=0
Pragma no-cache
X-ENGINE rx-engine
Location http://topoemsoftware .net/shop/search/?s=windows %257&cpn=www_datamancer_net_soft_ports4
Date Sun, 21 Nov 2010 15:12:10 GMT
Content-Type text/html; charset=UTF-8
Server Apache
Connection close
Content-Length 0

As you can see they redirect (301) to a pirate site (topoemsoftware .net in this case), whose URL contains information about the product targeted by the doorway page (windows 7) and the location of the landing page (www .datamancer .net). Moreover, it says “soft” to specify that the doorway page is a part of a software spam campaign (they also have “pharma” doorway pages) and that it works on a non-default port (ports4). On all doorway sites, HTTP headers of the redirects contain “X-ENIGNE rx-engine” line — probably some engine that implements doorway/cloaking functionality. (I encounter the RX abbreviation quite often in pharma spam — anyone knows what does it mean?)

The analysis of the Server header revealed that hackers use the same web server for their doorway sites on non-default ports as legitimate websites on port 80. In all cases it was Apache (different versions though). This means that hackers don’t install their own web servers. They just configure existing Apache to serve doorway sites off of non-default ports. This usually involves adding Listen port_number and <VirtualHost *:port_number> to Apache configuration files.

This sort of configuration changes can normally be done by someone with root permissions. This fact clearly shows this is not a site-level problem — the whole servers are hacked. And administrators of those servers don’t notice the problem for a very long time …

Some of such servers are dedicated — they only host one or two sites. Other servers are shared — they host hundreds of sites, and each site’s domain name coupled with the port number of the rogue site can be used to access doorway pages (for example, server with 204 .12 .102 .194 (HostMySite) that hosts 150+ domains).

On some servers, hackers configured doorways on multiple alternative ports. For example, on datamancer .net, I discovered rogue sites on ports 5946, 9955 and 57333.

Pirate sites

The pirate sites look almost the same way as they did more than a year ago when I first blogged about them. Just a minor facelift and new domain names.

Domain names that are currently in use, are really new — they all have been registered on October 4th, 2010.

softbuycatalog .com (created 2010-10-04 23:32:22)
softbuy-download .net (created 2010-10-04 23:32:50)
topoemsoftware .net (created 2010-10-04 23:33:08)
cheapsoftwareus .net (created 2010-10-04 23:33:31)
cheapsoftwareus .com (created 2010-10-04 23:33:37)
payment8ltd .net (created 2010-10-04 23:20:27)

Their WHOIS information is most likely forged (different contact details, different cities, and only seconds between registrations).

payment8ltd .net domain is used for payment processing. It has an SSL certificate issued on Nov 16th, 2010 by GoDaddy. However it shouldn’t be considered as a sign of a site’s legitimacy — this certificate only says that it is really payment8ltd .net and nothing more, no information about the domain owners.

3 paymenr8ltd.net SSL certificate

They also use a couple more domains paym8limited .com and paym8ltd .net — most likely this way they pretend to be a “Paym8 (Pty) Ltd” company whose “TrustWave Trusted Commerce” seal (not linked to any particular site) they use on their order pages.

All these domains currently point to a server with IP address 195 .80 .151 .115 (United Kingdom Instantexchanger Ltd).

Traffic estimates

According to Alexa, these site started to gain steady amount of traffic right from the moment of their registration.

4 cheapsoftwareus com4 topoemsoftware net

Since these domains are a part of the same black-hat SEO campaign, you should sum each domain’s traffic to estimate the scale of the problem. I guess, the number should be about 1,000 visitors/day, 30,000 visitors/month. Not that impressive. But I think this maybe only a tip of the iceberg.

This server also hosts many more similar pirate sites that had been registered on different dates:

adobecs4oem .com
adobecs5oem .com
adobeoem .net
adobeoem .org
business-downloads .com
buyoemsoftware .info
buyoemsoftware .us
cheapoemdownloads .com
cheapsoftwareus .net
crystal-downloads .com
cs5oem .com
discountoemdownload .com
downloadroyal .net
excellent-downloads .com
excellent-downloads .net
excellent-software .net
next-downloads .net
next-software .com
next-software .net
oem-collection .net
oemcs5 .com
oemka .com
oemmicrosoft .com
oemsoftwareseller .com
paym8limited .com
paym8ltd .net
royal-quality .net
royal-retailer .com
royal-service .net
royal-soft .net
royal-store .net
royalapps .net
royaldownload .net
royalmicrosoft .com
salesoftware .org
shop4soft .com
softbuy-download .com
softbuy-download .net
softbuycatalog .com
software-master .net
software-reseller .net
software-search .net
softwareoemdownloads .com
softwareultd .com
top-oem .net
top1oem .com
topoemdownloads .net
update-downloads .net
z-oem .com

Negligence of hijacked sites

With little changes, this black-hat SEO campaign is active for a very long time. I guess, for more than two years. What makes it possible is negligence of administrators of reputable web resources.

If you take a look at the list of compromised sites you’ll see many American, European and Australian educational sites (.edu and .ac.uk, including departments of well known universities like MIT, Stanford, Johns Hopkins University), US and Australian governmental sites (e.g. site of Department of the Premier and Cabinet of South Australia), sites of prominent international organizations (e.g. UNIFEM, Catholic League) and prominent Internet resources like Webby Awords, Locker Gnome, etc.

The list almost haven’t changed since my last year article. Last year I tried to contact compromised sites directly and tell them about the problem. In most cases I was just ignored. A couple of webmasters thanked me for the information, told me how they take security seriously but refused to co-operate with me in my investigation and share any information about the internals of the hack. Not surprisingly, these site are still hacked.

To help site admins who can’t detect such problems themselves I decided to publish my list of compromised doorway sites on non-default ports:

  1. www.techdis.ac.uk:55555
  2. www.datamancer.net:9955 - (fixed as of Dec 8, 2010)
  3. www.datamancer.net:57333 - (fixed as of Dec 8, 2010)
  4. www.datamancer.net:5946 - (fixed as of Dec 8, 2010)
  5. uxnet.org:4433
  6. www.watertaxibeach.com:3306 – (fixed as of Dec 8, 2010)
  7. honors.rit.edu:8888
  8. honors.rit.edu:7777
  9. www.notiuno.com:2525
  10. www.nybg.org:7855
  11. www2.nybg.org:5533
  12. www.gamblincolors.com:55559 - (fixed as of Dec 8, 2010)
  13. ttcampus2.com:8080
  14. ttcampus2.com:8000
  15. webbyawards.com:7000
  16. webbyawards.com:5555
  17. www.secs.oakland.edu:8080
  18. awftokyo.com:60006 - (fixed as of Dec 8, 2010)
  19. www.nkeconwatch.com:6680
  20. www.nkeconwatch.com:3355
  21. www.fortune.binghamton.edu:8080
  22. distance-educator.com:8080
  23. refbase.net:8080
  24. schoolgardenwizard.org:55554 - (fixed as of Dec 8, 2010)
  25. nrri.org:8080
  26. iadas.net:7777
  27. artoflogic.com:2323
  28. anti-occupation.org:6666
  29. www.kvmr.org:7777
  30. www.expressobeans.com:4444
  31. authenticjournalism.org:2222
  32. www.shirky.com:8888
  33. www.cinde.org:8082
  34. www.crimepreventionottawa.ca:55558 - (fixed as of Dec 8, 2010)
  35. www.shirky.com:7777
  36. www.tealgroup.com:4444
  37. nrri.org:5555
  38. www.saflii.info:5533
  39. www.loquatmusic.com:60005
  40. narcosphere.narconews.com:5555
  41. www.narconews.com:6666
  42. en.jurispedia.org:8022
  43. www.motor.de:2222
  44. www.graphic.com.gh:60000 - (fixed as of Dec 8, 2010)
  45. www.willwilkinson.net:9999
  46. lpbk.net:8890
  47. www.cdlmadrid.es:9888
  48. www.mechmind.com:3342
  49. ddl.me.cmu.edu:2525
  50. www.ulii.org:8888
  51. visitdelaware.com:8888

Another list of hijacked sites with doorway pages relevant to this article can be found here (almost 200 domains).

To webmasters. (Doorway/spammy links detection.)

Doorway pages on compromised legitimate sites is a very popular tool for cyber-criminals to drive traffic to their shady resources. They work quite well since there are many webmasters who don’t look after their sites and can’t detect this sort of breaches.

If you don’t want to help hackers make money abusing your site resources, you should know how to detect doorway pages and spammy links on your site. Here are some tips:

1. Register your site with Google Webmaster Tools and regularly check “Search queries” and “Links to your site” reports. Irrelevant queries and suspicious links should require additional investigation.

2. Regularly conduct [site:your-site-name.com] searches (replace your-site-name.com with the domain name of your site). Check web pages indexed by search engines.

3. If your site contains many pages (hundreds or even more), try to narrow down site: searches adding popular spammy keywords (e.g. generic viagra, cialis, pills, casino, poker, mortgage, cheap loans, discount, porn, photoshop cs4, and other so called 3 Ps keywords)

4. If you don’t normally use the above spammy keywords on you site, consider creating alerts for site level searches with those keywords (e.g. [site: you-site-name.com generic viagra])

5. Use “Fetch as Googlebot” tool in Webmaster Tools to find out what Google sees when indexing your site. This tool can help reveal cloaking.

6. You can also use Unmask Parasites online tool to check your web pages for hidden spammy links and cloaking issues.

7. Consider some sort of integrity control for your site files on server. A version control system can help you detect unauthorized changes to your files and revert them to their original state.

Have your say

What do you think about web spam on reputable sites? Are owners of trusted web resources responsible for neglecting of their sites security and allowing cyber criminals to abuse their authority for years?

Related posts:

Reader's Comments (12)

  1. |

    [...] This post was mentioned on Twitter by Denis, Rhonda Kreklau. Rhonda Kreklau said: Doorways on Non-default Ports — New Trend in Black Hat SEO? – Unmask Parasites – http://tinyurl.com/2c52v3s [...]

  2. |

    Great article. Now, can you please stop calling this guys Hackers? Being a Hacker and being a cracker are completely non-related things.

    This guys are cracking servers to improve their SEO rating.

    A Hacker is a person who hacks. A Hack is something hard to define, but is basically any activity that has “hack value”, this hack value being: Creativity, playfulness, etc.

    Some of this Crackers might also be Hackers, but they might also be husbands, bus drivers, or public masturbators. None of those activities have anything to do with what you are reporting, therefore you don’t mention them. Why would you mention Hacking, when it doesn’t have anything to do with this either?

    I suggest you read this for clarification: http://stallman.org/articles/on-hacking.html

    We’ll all appreciate it if you stopped using the word Hacker improperly.

  3. |

    From wikipedia:
    “Rx” is often used as a short form for prescription drug in North America. It is in fact an abbreviation for the Latin “recipe,” the imperative form of “recipere,” meaning “take thus.”

  4. |

    @Almafuerte

    I too once thought as you. But at this point the word ‘hacker’ does not mean what it did in the late 70s and *VERY* early 80s. Its meaning has changed. We do not like it but it is what it is. A better newer term is maker (but even that is not quite right) for what you describe. So yes an honorific title has been stripped from our culture and changed meaning. Much as the word pirate does not exactly mean the same thing anymore. It happens, words change meaning.

    Correcting people like this does not help. They just shrug their shoulders and think you are loony for even bringing it up.

    The *ONLY* way to take the word back is to use it the way you intend. People around you will start doing the same. But to stop them and correct them such as this does not stop them. It only serves to make you look like a poor looser.

  5. |

    Hello I am from Datamancer.net. My Google alerts pointed me at your page. Thanks for the heads-up. I had actually just cleansed my site of all of these exploits just last week, but if I hadn’t known about it already, it would have been good to have been alerted to them by your page.
    I think a lot of these exploits are enabled by outdated installations of “canned” PHP scripts like blogs and shopping carts. The way I killed them was a combination of I.P.-blocking through .htaccess, and hunting down and deleting a bunch of folders on my site with names like .svt, .p, .php, etc. If you’re another webmaster just discovering this article and these exploits, be sure to search your folders for any subfolders fitting that format and delete them (or at the very least, CHMOD them to 0)

    Thanks again,
    -Rich

    • |

      Hi Rich!

      Thanks for sharing your experience with this hack.

      Could you also share information about how they configured alternative ports on your web server?
      What permissions had Apache config files? Did you disable unused ports? etc.

      You can contact me directly if you don’t want to mention some sensitive information here.

  6. |

    I have suspected for some time that spammers “get to” people who have access to these networks, the admins perhaps. Or it may be that the spammers, the word I prefer, are the admins or that they are selling their “services” to the spammers.

    This whole situation smacks of inside job. It is executed in a way that allows the admin to deny knowledge of the hack. If the admin leaves, the doorway(s) remain in place for the next unsuspecting webmaster. If it is discovered, the admin just has to act surprised.

    Spammers can afford large cash payments to admins or webmasters. $10,000.00 is nothing if they can utilize your established traffic.

    I started to suspect insider spamming when users, having been infected with spam/malware, maintained that they just went to, for example, msnbc.com–or other mainstream legitimate site. I believe them, being good people with no reasonable privacy in their office.

    Anyway, the malware was installed by way of activex using Internet Explorer, of course. The user either had to authorize the download of the code or the site was already trusted, avoiding the prompt to install the malware. The malware was a simple .exe stored in the Application Data folder, loaded on startup from a registry entry. Not even sophisticated enough to be called hacking. Here’s a suggestion: This ActiveX component wishes to access the registry. Do you want to allow this? Yes No (trusted or not)

    Another suggestion, if your company owns a high traffic website, you need to get a professional (yes, expensive) security audit from a 3rd party researcher or consultant.

  7. |

    [...] o un server funzionano come ci si aspetta non è detto che siano privi di virus o trojan. (via Unmask Parasites) Segnala o [...]

  8. |

    [...] post at blog.unmask.parasites details the ‘whens and hows’ of this compromise method.  Definitely a technical read, [...]

  9. |

    [...] for unauthorized content. The blog Unmask Parasites has some great tips on both of these fronts in a post that highlights a recent and persistent variation of the Hostmonster attack. var [...]

  10. |

    [...] Recently, a lot of high profile .EDU and .GOV were hijacked to redirect users to fake online stores. Google searches related to buying software (“buy windows 7 key”, where to buy microsoft, “purchase microsoft word”, “buy microsoft office”, etc.) contain a long list of websites running on non-standard ports: http://www.kidsforkidsfestival.org:8080, en.jurispedia.org:4444, >www.notiuno.com:4577, etc. These links redirect users to online stores which claim to sell software at a discounted price. [...]