Internals of Rogue Blogs
Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.
Recently I’ve been contacted by one of Servage clients who found his sites hacked:
I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.
He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
Continue »»
Bety.php Hack. Part 2. Black Hats in Action.
This is the second article about the hacker attack against osCommerce-powered sites. In the first part, you can find the description of the attack along with detection and clean-up instructions. Now I want to show you what exactly hackers did and how they managed to poison Google search results.
The main goal is to demystify hackers and encourage webmasters to explore their own sites. The more you know about hackers, the better you’ll be at protecting your site against their attacks.
This post is based on the files and access logs of three compromised sites that I received from a webmaster who contacted me a couple of weeks ago.
Quick facts
- The attack uses unpatched vulnerability in osCommerce 2.2 that allows an attacker to upload arbitrary files to compromised servers using a security hole in file_manager.php.
- Only one of the three sites actually uses osCommerse (site-1).The rest two sites had been hacked using access gained via the hacked site-1.
Tweet Week: Oct 12-18, 2009
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Oct 13, 2009
Google adds 2 new tools to GWT: “Fetch as Googlebot” & “Malware Details” - they help locate sources of security problems
Oct 15, 2009
Retweeting @gcluley: Microsoft user? Adobe user? Update your systems now
Oct 17, 2009
Do you accept ads on your website? Make sure they are not malicious. Google Anti-Malware team on malvertising.
If you want more real-time experience, you can follow @unmaskparasites on Twitter.
Similar posts:
Anti-Pirates Unknowingly Promote Pirates
A couple of days ago I posted my research on hacked high-ranking sites that spammers used to promote online stores selling pirated software.
Now you’ll see an amusing (and at the same time sad) illustration of the issue.
Continue »»
“Cheap Vista” or Cloaked Spam on High-Profile Sites
In this post, I’ll show how cybercriminals used hacked high-profile sites to drive search traffic to online stores that sell pirated copies of popular software and, presumably, steal credit card details.
I’ve been watching this sort of search spam for more than a year now. And after this post in Google’s Webmaster Help forum, I decided to take a closer look at this this problem.
Continue »»
Stats Anomaly Reveals Website Security Issues.
I’ve recently blogged about how hackers redirect Googlebot from legitimate sites to malware sites. In the update, I mentioned a real site that had been hacked and lost both PageRank and top positions in Google search results.
The owner of that site sent me a very insightful email and gave me permission to publish it here: Continue »»
Black Hat SEO for Virus Dissemination.
In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.
This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/” -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name. I decided to find out what was going on. Continue »»
Exploit Redirects Googlebot to Malware Sites (Bablo me uk).
Some time ago I noticed a few sites with a suspicious chain of redirects that always started with “http://bablo .me .uk/” followed with a site with a random 6 digit number as a sub-domain name (e.g. http://www. 524045. secki .info/).
I decided to follow the redirects and find out where they lead to. What I found was a server hosting hundreds of sites optimized for trojan dissemination. I’ll blog about my investigation later. Now let’s talk about the things web masters should know about this exploit.
Symptoms
- PHP-dirven site. (Especially Joomla-driven)
- Problems with having web site properly indexed by Google. Some pages don’t get indexed, some pages disappear from the index. If not – it’s only a matter of time.
- When checking web pages in Unmask Parasites, there is a chain of two 301 redirects reported and the first redirect points to “http://bablo .me .uk/”. However when opening the same pages in a browser, no redirection occurs (even when clicking on Google search results.)
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
