Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.
Recently I’ve been contacted by one of Servage clients who found his sites hacked:
I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.
He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
This is the second article about the hacker attack against osCommerce-powered sites. In the first part, you can find the description of the attack along with detection and clean-up instructions. Now I want to show you what exactly hackers did and how they managed to poison Google search results.
The main goal is to demystify hackers and encourage webmasters to explore their own sites. The more you know about hackers, the better you’ll be at protecting your site against their attacks.
This post is based on the files and access logs of three compromised sites that I received from a webmaster who contacted me a couple of weeks ago.
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Oct 13, 2009
Google adds 2 new tools to GWT: “Fetch as Googlebot” & “Malware Details” - they help locate sources of security problems
Oct 15, 2009
Oct 17, 2009
Do you accept ads on your website? Make sure they are not malicious. Google Anti-Malware team on malvertising.
If you want more real-time experience, you can follow @unmaskparasites on Twitter.
A couple of days ago I posted my research on hacked high-ranking sites that spammers used to promote online stores selling pirated software.
Now you’ll see an amusing (and at the same time sad) illustration of the issue.
In this post, I’ll show how cybercriminals used hacked high-profile sites to drive search traffic to online stores that sell pirated copies of popular software and, presumably, steal credit card details.
I’ve been watching this sort of search spam for more than a year now. And after this post in Google’s Webmaster Help forum, I decided to take a closer look at this this problem.
I’ve recently blogged about how hackers redirect Googlebot from legitimate sites to malware sites. In the update, I mentioned a real site that had been hacked and lost both PageRank and top positions in Google search results.
The owner of that site sent me a very insightful email and gave me permission to publish it here: Continue »»
In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.
This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/” -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name. I decided to find out what was going on. Continue »»
Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).
I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.