msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Careless Webmasters as WordPress Hosting Providers for Spammers

   18 May 12   Filed in Website exploits

Foks, a frequent contributer to my investigations, recently pointed me at an interesting black hat SEO campaign where thousands of hacked WordPress blogs and Joomla sites were used to create doorways promoting online stores selling various “slimming pills” and fake luxury goods.

doorway blogs

During the last few years I saw many attacks where cyber criminals created large spammy sites in subdirectories of hacked legitimate sites. It’s an easy way to create millions of doorway pages on thousands of established domains with good reputation for free (owners of hacked sites pay for hosting, bandwidth and domains) — typical parasitic behavior. Webmasters normally only visit pages they created themselves and rarely check what happens in subdirectories so they may not notice spammy sections for months. Sometimes such sections may be significantly larger than legitimate sections of hacked websites and attract much more search traffic.

The back end of such rogue sections is usually some doorway generating script along with rewrite rules in .htaccess or a simple blogging engine like FlatPress that doesn’t require a database. The only requirement of such solutions is PHP so they will work on most websites.

However this time spammers chose WordPress as a back end for their doorways. After all, if they hack a WordPress blog, the server is guranteed to be compatible with WordPress and all they need to do to install a new instance is get MySQL password from existing wp-config.php and chose a different table prefix for their WordPress database.

Here’s how the attack works

Step 1. Get admin passwords for WordPress or Joomla.

Most likely they use brute force attacks to guess the password.

Step 2. Inject a backdoor

(Further, I will use WordPress for my examples as I know it better than Joomla and there are more hacked WP blogs than Joomla sites.)

Using the stolen credentials, log into WordPress admin interface and use the Theme Editor to inject a web shell into some existing plugin (usually Akismet).

Step 3. Create a subdirectory

Using the web shell, create a subdirectory for a new doorway blog. Typical names of such subdirectories are:

  • /wp-content/upgrade/2012/
  • /wp-content/upgrade/new/
  • /wp-content/upgrade/css/
  • /wp-content/upgrade/luxury
  • /wp-content/themes/2012/
  • /wp-content/themes/new/
  • /wp-content/themes/slimming/
  • /wp-content/themes/luxury
  • /wp-content/plugins/css/
  • /wp-content/plugins/slimming/
  • /wp-content/plugins/luxury/
  • /wp-content/uploads/css/
  • /wp-content/uploads/php/2012/
  • /wp-content/uploads/php/luxury/
  • /wp-content/uploads/php/new/
  • /wp-content/uploads/slimming
  • /wp-content/slimming/
  • /media/2012/
  • /media/css/
  • /php/2012/
  • /php/new/
  • /php/luxury
  • /modules/css/
  • /api/luxury/
  • /include/luxury/
  • /includes/css

As you can see, the names of subdirectories suggest that there shouldn’t be any web pages there.

Step 4. Upload WordPress installation package

Upload a WordPress installation package into that subdirectory and upzip it. (I found an unzip.php/un.php/ u.php web unzip utility with Chinese interface in those subdirectories of many hacked sites)

unzip.php

Step 5. Get MySQL credentials and install WordPress

Get MySQL database credentials from wp-config.php of the hacked WP blog or from configuration.php in case of Joomla. Enter these credentials into wp-config.php of the doorway blog. Choose some unique table prefix for the database of a doorway blog. And then complete the blog installation process by opening it’s “wp-admin/install.php” script.

Step 6. Doorway theme

Install a new WordPress theme that mimics interface of the online store that this particular doorway works with.

Doorway theme mimics online store

When you click on any item, you get redirected to the corresponding section of the promoted website.

Text of blog posts can be found two screens below the fold – it’s only for search engines.

Step 7. Enable remote publishing

Log into the new doorway blog and enable remote publishing. This option allows spammers to use automated tools to post new articles via XML-RPC protocol.

Remote Publishing in WordPress

Step 8. Post spammy articles

Here’s an excerpt from a log file that shows how they post using XML-RPC

218.29.97.165 - - [13/Apr/2012:20:19:18 +0200] "POST /wp-content/upgrade/new/wp-login.php HTTP/1.1" 302 - "http://DOMAIN-REMOVED/wp-content/upgrade/new/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)"
218.29.97.165 - - [13/Apr/2012:20:20:54 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 501 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
218.29.97.165 - - [13/Apr/2012:20:21:25 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 4300 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
218.29.97.165 - - [13/Apr/2012:20:25:21 +0200] "POST /wp-content/upgrade/2012/xmlrpc.php HTTP/1.1" 200 4324 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"
218.29.97.165 - - [13/Apr/2012:20:35:31 +0200] "POST /wp-content/upgrade/new/xmlrpc.php HTTP/1.1" 200 893 "-" "Apache XML RPC 3.1.3 (Sun HTTP Transport)"

Black hat SEO scheme

With various modification, this particular campaign has been active for at least a year now. However, most of the “slimming” blogs that I described here were created in March 2012.

At this point I found such doorway blogs on about 3,000 hacked sites with unique domain names. There are usually 1-4 different doorway blogs on each domain – each blog promotes different online store.

Directory listing with three doorway blogs

Here’s an incomplete list of the promoted sites:

  • slimming-capsules .com
  • slimming2012 .com
  • 361slim .com
  • botanicalslimworld .com
  • discount-luxury-sotre .com
  • cheap-luxury-shop .com
  • 0bags .com
  • cheap-luxury-store .info
  • brandhandbagsonline .com

Each blog (created in March) has 200-500 posts, which means about a million of doorway pages targeted for all sorts of keyword combinations on “diet pills” and “luxury” topics.

The posts are a keyword-rich gibberish with cross-links to doorway blogs on other domains.

Typical spammy blog post

Their only purpose is to get indexed by search engines so that doorways rank well for targeted keywords. Apperently, this works quite well. I can see many doorways on first pages of Google search results for most searches I checked (three words or more). E.g. [buy meizitang in dallas], [botanical slimming capsule australia], [Givenchy Outlet in Abu Dhabi UAE], [buy cheap Fendi Boston]

A few days ago I reported those blogs to Google and they have already removed many of them from their index. I hope Google will figure out a way to detect such blogs itself and won’t index doorways in the first place leaving spammers less incentive to hack legitimate sites.

Chinese trace

Unlike black hat SEO campaigns that I blogged about before, this one has strong Chinese traces. It promotes sites that sell Chinese goods and belong to Chinese. For example all “slimming” and “fake luxury” sites feature the same Western Union payment recipient:

Western Union payment information

Moreover, doorways use a counter script of the Chinese 51.la service. Unzip scripts found on hacked sites have Chinese user interface. And IP addresses of people who logged into WordPress admin interface of the doorway blogs are also Chinese (e.g. 218.29.97.165).

Phishing

It is also worth noting that not only do cyber criminals use those hacked site for black hat SEO, but they also place phishing files there.

For example, this HSBC phishing form was found under wp-content/plugins/akismet/ (in subdirectories with names like 0nl, ama, atu, b4t, etc.)

HSBC phishing form

The phishing files are:

  • index.php – generates an authentic looking query string and redirects to hsbcstart.php
  • hsbcstart.php – mimics a login screen and asks to enter your user ID. Then redirects to continue.php
  • continue.php – asks for your personal and account details (including credit card number and its PIN code)
  • last.php – this script sends the entered details to the following emails: newforuk@gmail.com and halisanta1@gmail.com and then redirects to a real HSBC home page.

If you ever considered buying something from online stores that sell some fake stuff, generic pills or pirated software — think again. Now you know that you are buying from the same people who try to steal your banking details. All their assurance that “safety of your personal information is extremely important to them” along with fake “Better Business Bureau” and fake security seals are just tricks to make feel unalert while being robbed.

To webmasters

Your site, no matter how big or small it is, is a valuable resource for cyber criminals. As you can see, they can host doorways and phishing pages there. And these are only two of many more site abuse scenarios. Be prepared to protect your site and regularly check it for security issues.

  • Choose strong passwords for your web applications (blogs, CMS, forums, etc) and don’t use default names such as “admin” for application administrators.
  • Monitor changes in your server file system. Hackers like deep subdirectories because many webmasters never check what happens there.
  • Regularly check output of the Google’s [ site:your-domain-here.com ] searches. You might find that Google has indexed pages that should not belong to your site.
  • You will also find very useful reports in the Traffic section of Google Webmaster Tools. Unlike Google Analytics, Webmaster Tools provide reports for all site pages, not only pages with your tracking code, which is important since hackers won’t install you GA tracking code in their doorways.
    • Search Queries – you can spot queries irrelevant to you site.
    • Links to Your Site – you can find suspicious incoming links here.
    • Internal Links – this report can help reveal rogue sections of your site.
  • Don’t forget about raw access logs — they are you best friends if things go bad. Even if you don’t know how to work with logs, you can find a professional that will be able to use them to identify malicious files and security holes on your server so that you can properly clean up and harden it. Log analysis can also help reveal “alien” sections and pages on your site.
    On many shared hosts, access logs are disabled, so it’s a good idea to check if they are enabled for your site now. (In case of cPanel you will find this setting under Logs->Raw Access Logs)

##
Your comments and additional information are welcome.

Related posts:

Reader's Comments (8)

  1. |

    Lately I also came across several hacked WordPress blogs, mainly infected with Phishing malware. After deleting the malware in subdirectories I noticed that the malware re-installed itself pretty fast.

    Now I delete the malware, change the administrator password and place a limit on the login attempts (combined with a ip block). For this I simply install the plugin [Limit Login Attempts].

    • |

      The Limit Login Attempts plugin is definitely a great one to use. Once you start using it, you will get to see how often your site is under attack.

  2. |

    [...] And a Flashback malware was, in part, distributed by putrescent WordPress blogs. An essay on a Unmask Parasites blog looks during a techniques that cyber-criminals use to taint web [...]

  3. |

    Nice summary. Interesting I haven’t run into this particular hack in my day to day clean up work. This is far more advanced than most of the compromised sites I’ve been seeing this month.

    Just an add to your notes. FTP log in logs are likewise big time important. While many of the lower end hosts don’t provide FTP log access, if you are nice many will go digging and pull them for you. Knowing whether your site was hacked via a stolen password (FTP logs will help), as opposed to a bad plugin or poor dashboard password can make all the difference in regard to what security strategies to recommend to the business owners of the website.

    Enjoy,
    Jim Walker, The Hack Repair Guy

    • |

      Good point Jim!

      If webmasters really want to know how exactly their sites were compromised and what can prevent reinfections, they should be able to analyze both web server and FTP logs. Any other types of logs can help too (for example there are WP plugins that log WordPress user activity). Logs provide strong evidence and remove guesswork.

  4. |

    I guess that explains a lot of the spam comments I was talking about on my blog yesterday (http://www.temafrank.com/2012/05/dont-let-your-blog-become-victim.html).

    No wonder small businesses are scared to build an online presence!

  5. |

    I recently had a large multisite installation hacked and repeated phishing scam type pages there, resulting in numerous alerts from my host and domain registrar. People don’t realise just how serious being hacked like this can be: it can definitely bring your site down.
    I had a server admin and wordpress security expert clean the site, changed that passwords, MySQL and cPanel login details.
    Total nightmare!
    No I’ve got security plugins installed in wordpress and cPanel its amazing just how many hack attempts you see, most of them from China.

  6. |

    [...] of his argument was that a WordPress system can be hacked using the technique described in the post contained in this article. So where is the fatal flaw?  Apparently if a user creates an insecure password, the system can be [...]