Black Hat SEO for Virus Dissemination.
In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.
This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/” -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name. I decided to find out what was going on. Continue »»
Exploit Redirects Googlebot to Malware Sites (Bablo me uk).
Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).
I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.
Symptoms
- PHP-dirven site. (Especially Joomla-driven)
- Problems with having web site properly indexed by Google. Some pages don’t get indexed, some pages disappear from the index. If not – it’s only a matter of time.
- When checking web pages in Unmask Parasites, there is a chain of two 301 redirects reported and the first redirect points to “http://bablo .me .uk/”. However when opening the same pages in a browser, no redirection occurs (even when clicking on Google search results.)
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
