Foks, a frequent contributer to my investigations, recently pointed me at an interesting black hat SEO campaign where thousands of hacked WordPress blogs and Joomla sites were used to create doorways promoting online stores selling various “slimming pills” and fake luxury goods.
During the last few years I saw many attacks where cyber criminals created large spammy sites in subdirectories of hacked legitimate sites. It’s an easy way to create millions of doorway pages on thousands of established domains with good reputation for free (owners of hacked sites pay for hosting, bandwidth and domains) — typical parasitic behavior. Webmasters normally only visit pages they created themselves and rarely check what happens in subdirectories so they may not notice spammy sections for months. Sometimes such sections may be significantly larger than legitimate sections of hacked websites and attract much more search traffic.
The back end of such rogue sections is usually some doorway generating script along with rewrite rules in .htaccess or a simple blogging engine like FlatPress that doesn’t require a database. The only requirement of such solutions is PHP so they will work on most websites.
However this time spammers chose WordPress as a back end for their doorways. After all, if they hack a WordPress blog, the server is guranteed to be compatible with WordPress and all they need to do to install a new instance is get MySQL password from existing wp-config.php and chose a different table prefix for their WordPress database.
Most likely they use brute force attacks to guess the password.
(Further, I will use WordPress for my examples as I know it better than Joomla and there are more hacked WP blogs than Joomla sites.)
Using the stolen credentials, log into WordPress admin interface and use the Theme Editor to inject a web shell into some existing plugin (usually Akismet).
Using the web shell, create a subdirectory for a new doorway blog. Typical names of such subdirectories are:
As you can see, the names of subdirectories suggest that there shouldn’t be any web pages there.
Upload a WordPress installation package into that subdirectory and upzip it. (I found an unzip.php/un.php/ u.php web unzip utility with Chinese interface in those subdirectories of many hacked sites)
Get MySQL database credentials from wp-config.php of the hacked WP blog or from configuration.php in case of Joomla. Enter these credentials into wp-config.php of the doorway blog. Choose some unique table prefix for the database of a doorway blog. And then complete the blog installation process by opening it’s “wp-admin/install.php” script.
Install a new WordPress theme that mimics interface of the online store that this particular doorway works with.
When you click on any item, you get redirected to the corresponding section of the promoted website.
Text of blog posts can be found two screens below the fold – it’s only for search engines.
Log into the new doorway blog and enable remote publishing. This option allows spammers to use automated tools to post new articles via XML-RPC protocol.
Here’s an excerpt from a log file that shows how they post using XML-RPC
188.8.131.52 - - [13/Apr/2012:20:19:18 +0200] "POST /wp-content/upgrade/new/wp-login.php HTTP/1.1" 302 - "http://DOMAIN-REMOVED/wp-content/upgrade/new/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)"
184.108.40.206 - - [13/Apr/2012:20:20:54 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 501 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
220.127.116.11 - - [13/Apr/2012:20:21:25 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 4300 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
18.104.22.168 - - [13/Apr/2012:20:25:21 +0200] "POST /wp-content/upgrade/2012/xmlrpc.php HTTP/1.1" 200 4324 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
22.214.171.124 - - [13/Apr/2012:20:35:31 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 893 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
With various modification, this particular campaign has been active for at least a year now. However, most of the “slimming” blogs that I described here were created in March 2012.
At this point I found such doorway blogs on about 3,000 hacked sites with unique domain names. There are usually 1-4 different doorway blogs on each domain – each blog promotes different online store.
Here’s an incomplete list of the promoted sites:
Each blog (created in March) has 200-500 posts, which means about a million of doorway pages targeted for all sorts of keyword combinations on “diet pills” and “luxury” topics.
The posts are a keyword-rich gibberish with cross-links to doorway blogs on other domains.
Their only purpose is to get indexed by search engines so that doorways rank well for targeted keywords. Apperently, this works quite well. I can see many doorways on first pages of Google search results for most searches I checked (three words or more). E.g. [buy meizitang in dallas], [botanical slimming capsule australia], [Givenchy Outlet in Abu Dhabi UAE], [buy cheap Fendi Boston]
A few days ago I reported those blogs to Google and they have already removed many of them from their index. I hope Google will figure out a way to detect such blogs itself and won’t index doorways in the first place leaving spammers less incentive to hack legitimate sites.
Unlike black hat SEO campaigns that I blogged about before, this one has strong Chinese traces. It promotes sites that sell Chinese goods and belong to Chinese. For example all “slimming” and “fake luxury” sites feature the same Western Union payment recipient:
Moreover, doorways use a counter script of the Chinese 51.la service. Unzip scripts found on hacked sites have Chinese user interface. And IP addresses of people who logged into WordPress admin interface of the doorway blogs are also Chinese (e.g. 126.96.36.199).
It is also worth noting that not only do cyber criminals use those hacked site for black hat SEO, but they also place phishing files there.
For example, this HSBC phishing form was found under wp-content/plugins/akismet/ (in subdirectories with names like 0nl, ama, atu, b4t, etc.)
The phishing files are:
If you ever considered buying something from online stores that sell some fake stuff, generic pills or pirated software — think again. Now you know that you are buying from the same people who try to steal your banking details. All their assurance that “safety of your personal information is extremely important to them” along with fake “Better Business Bureau” and fake security seals are just tricks to make feel unalert while being robbed.
Your site, no matter how big or small it is, is a valuable resource for cyber criminals. As you can see, they can host doorways and phishing pages there. And these are only two of many more site abuse scenarios. Be prepared to protect your site and regularly check it for security issues.
Your comments and additional information are welcome.