Bety.php Hack. Part 2. Black Hats in Action.
This is the second article about the hacker attack against osCommerce-powered sites. In the first part, you can find the description of the attack along with detection and clean-up instructions. Now I want to show you what exactly hackers did and how they managed to poison Google search results.
The main goal is to demystify hackers and encourage webmasters to explore their own sites. The more you know about hackers, the better you’ll be at protecting your site against their attacks.
This post is based on the files and access logs of three compromised sites that I received from a webmaster who contacted me a couple of weeks ago.
Quick facts
- The attack uses unpatched vulnerability in osCommerce 2.2 that allows an attacker to upload arbitrary files to compromised servers using a security hole in file_manager.php.
- Only one of the three sites actually uses osCommerse (site-1).The rest two sites had been hacked using access gained via the hacked site-1.
Rogue blogs redirect search traffic to bogus AV sites. Part 2.
This is the second part of the post about rogue blogs installed into subdirectories of hacked legitimate websites. The first part talked about how those blogs redirect search engine traffic to scareware sites. In this part I will talk about the whole black hat campaign, its evolution and its strange connection with Servage hosting provider.
Generations of rogue blogs
In the Cyveillance blog, they mentioned two types of rogue blogs with “bsblog” and “bmsblog” strings in the URLs. Having played with Google searches, I discovered some more versions:
- bmblog. allinurl:bmblog/category search returns 281 000 results
- mdblog. allinurl:mdblog/category returns 1 880 results
- and generic blog (with specific categories).
So what do those strings mean? A quick analysis of the blogs’ content suggests that “blog“, “bmblog”, “bsblog“, “bmsblog” and “mdblog” strings in blog addresses correspond to different generations of this black hat campaign.
Here is the timeline »»
Rogue blogs redirect search traffic to bogus AV sites. Part 1.
As I tweeted a few days ago, I gathered a lot of interesting information about this case. So to make the post readable, I’ve broken it down into two parts. The first part is about how rogue blogs work, and the second part is about different generations of this black hat campaign and about the connection with Servage hosting provider.
A few days ago, I stumbled upon a great post where guys from Cyveillance blog wrote about a massive Google search results poisoning. Well worth reading.
Here is a brief summary of their post followed by my own findings »»
“Cheap Vista” or Cloaked Spam on High-Profile Sites
In this post, I’ll show how cybercriminals used hacked high-profile sites to drive search traffic to online stores that sell pirated copies of popular software and, presumably, steal credit card details.
I’ve been watching this sort of search spam for more than a year now. And after this post in Google’s Webmaster Help forum, I decided to take a closer look at this this problem.
Continue »»
Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects.
I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.
I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Continue »»
Using Wget to Detect Hijacked Search Engine Traffic
Some time ago I had a series of post about the .htaccess exploit that redirected search engine traffic to bogus Antivirus sites.
This sort of exploit is still very wide-spread. Many site owners wonder why Google blacklists their sites when their web pages are absolutely benign and sites mentioned on Google’s Safe Browsing Diagnostic pages have absolutely nothing to do with their site’s content.
Here is an excerpt from a typical Safe Browsing Diagnostic page for an affected site:
Malicious software is hosted on 5 domain(s), including best-antimalware-pro-scan .com/, fastantimalwareproscanner .com/, fullantispywareproscan .com/.
4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including module-antispyware .info/, securedradiostation .cn/, great-antispyware .info/.
When I see multiple antivirus-related domain names in the diagnostics, I almost sure the site has a hacked .htaccess file that redirects search engine traffic to scam sites. Still I need to verify my guess.
Continue »»
Antivirus 360 redirection exploit
This is a new post in the series about the Antivirus 2009 .htaccess exploit. I want to share some new information on the topic.
Unmasking the Antivirus 2009 .htaccess Exploit.
In the previous post I described the symptoms of the Antivirus 2009 .htaccess exploit, how to detect it and get rid of it.
This time I’m going to further unmask this exploit and show how it works.
Bogus Antivirus 2009 .htaccess Exploit.
Let’s start with the most “popular” exploit of the last week.
I’ve seen dozens of messages all over the web (WordPress forums, BadwareBusters.org, StopBadware discussion group, etc) regarding compromised web sites and why Google blocked them. When I checked them with Unmask Parasites, their reports looked pretty much the same: no title and a chain of four redirects. All those sites were hit by the bogus Antivirus 2009 .htaccess exploit.
Symptoms
- Abrupt decrease of search engine traffic. Almost to zero. – always
- People complain that when they visit your site, it says their computer is infected with spyware and forces them to install Antivirus 2009, but when you open the site yourself, you don’t see anything suspicious. - if your site visitors care enough to complain
- Warnings in google search results that visiting your site may harm a computer. – only if Google has already detected the exploit. This may be a sign of some other exploit as well.
- Firefox 3 and Google Chrome browsers wouldn’t let anyone visit your site and warn web surfers that your site is an “attack site”. – only if Google (Firefox uses Google’s base) has already detected the exploit. This may be a sign of some other exploit as well.
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
