More About the Rogue Image Blogs on Servage Network…
This is the fifth article in the series about rogue blogs created by hackers inside legitimate websites of Servage clients. Millions of malicious web pages has seriously poisoned Google search results, redirecting visitors to scareware sites. You might want to read the previous posts first:
- Hackers Abuse Servage Hosting to Poison Google Image Search (April 28, 2010)
- Internals of Rogue Blogs (March 17, 2010)
- Rogue blogs redirect search traffic to bogus AV sites. Part 2 (November 27, 2009)
- Rogue blogs regirect search traffic to bogus AV sites. Part 1 (November 26, 2009)
In this post, I’ll describe how the new generation of rogue blogs works.
Continue »»
Tweet Week: April 26 – May 2, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Reviews of security tools, web spam and poisoned Image search results »»
Hackers Abuse Servage Hosting to Poison Google Image Search
Two weeks ago I blogged about serious security problems of Network Solutions‘ shared hosting service. This time I’ll turn to another big shared hosting provider – Servage.
It’s not the first time I write about Servage. Actually this will be the 4th article in the series about rogue blogs on Servage network. It all started in November when I wrote about malicious blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. In the second article, I showed the history of those rogue blogs (the first generation have dates in April of 2009) and how most of them (90%+) were found on Servage network. In the third article, I wrote about the internals of those rogue blogs and their malicious features.
A few days ago I found a new generation of rogue blogs on Servage network.
Here are the details …
Internals of Rogue Blogs
Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.
Recently I’ve been contacted by one of Servage clients who found his sites hacked:
I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.
He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.
Continue »»
Tweet Week: Feb 15-21, 2010
Selected short messages and links you might have missed if you don’t follow me on Twitter.
Gumblar zombies, StopBadware reports, WordPress updates … »»
Rogue blogs redirect search traffic to bogus AV sites. Part 2.
This is the second part of the post about rogue blogs installed into subdirectories of hacked legitimate websites. The first part talked about how those blogs redirect search engine traffic to scareware sites. In this part I will talk about the whole black hat campaign, its evolution and its strange connection with Servage hosting provider.
Generations of rogue blogs
In the Cyveillance blog, they mentioned two types of rogue blogs with “bsblog” and “bmsblog” strings in the URLs. Having played with Google searches, I discovered some more versions:
- bmblog. allinurl:bmblog/category search returns 281 000 results
- mdblog. allinurl:mdblog/category returns 1 880 results
- and generic blog (with specific categories).
So what do those strings mean? A quick analysis of the blogs’ content suggests that “blog“, “bmblog”, “bsblog“, “bmsblog” and “mdblog” strings in blog addresses correspond to different generations of this black hat campaign.
Here is the timeline »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
