Spamhuntress

This is weird…

I was checking my logs for weird patterns, and found that spammers search my wiki. A lot. And since search doesn’t work, it’s weird. I find that they search for spam. One pattern is to search for phentermine and similar, and another is to search for specific URLs that spammers have tried to insert as spam - I assume.

One such URL led to mac.com:

idisk.mac.com/mysharon/Public/narutoporn.html

I harvested the page, removed the redirect javascript, and loaded it. The page looks like a Blogger blog post. The “About me” page is greyed out, as is any other typical blogger system link - or removed altogether.

So, how did a spampage get on a Mac site? I don’t find ANY reference to idisk.mac.com except with the directory mysharon.

Could someone who knows how to get Apple’s attention please notify them?

Incidentally, the spammer that searches for lots of URLs tends to use this malformed user agent:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Might be the same bunch (or someone using the same software) that are churning out comment spam from this IP on Inhoster: 85.255.117.226

A domain on that server seen in spam is this one: willywonka.co.in

Whois: Registrant Name:Nick Priest
Registrant Organization:IQ inc.
Registrant Street1:Pr. Pobedy 102
Registrant City:Kiev
Registrant Postal Code:05033
Registrant Country:UA
Registrant Phone:+93.456474776
Registrant Email:lustiq@p5com.com

I found 20 more domains on there (.com and .org, probably more domains with other tld’s), and they were very similar. Spot checks revealed they all belong to the same person, though he sometimes uses a Buenos Aires address. I’ve mentioned this guy before.

I got some spam on a forum that appeared to be for a hacked website. It turned out to be a blog community running a modified B2evolution. The spammers had hacked index.php, and made redirects by using URL’s along this pattern: index.php?xanax#3

That particular website has been notifed, and has removed the hacked code.

I haven’t found any other websites compromised that same way, but that doesn’t mean there’s nothing like it out there.

There’s been a lot of hacked sites lately. Sites hacked by or for spammers, who use other people’s websites to serve up their spammy content.

The websites may have been hacked using many different techniques, so I won’t get into ways they could have been hacked here.

However, I’ll cover what you need to do. Maybe others can think of other things you shoul do as well (comments).

First of all, look over the site. Look for php files that shouldn’t be there. It’s helpful to have a fairly recent backup to compare with. Download and save (via ftp or a control panel or file explorer) the php files you don’t recegnize. I’d love to see samples of the php files too, in order to track the spammers through the code, if you’re OK with that.
Notify your webhost. Ask them if maybe the hackers has used a hack that compromised other websites. Some hacks are “per site”, others are per server.

There are different techniques used by spammers when they hack sites. Some use php files, some use ordinary html files. Download and save any files uploaded by spammers, then remove them. Also be aware that one site owner reported that the spammers had deleted several thousand images to have room for their spammy files.

Erase ALL files from the website, if possible. If not, remove the files you don’t recognize. Reload files from a backup. Leave the databases as is. We haven’t seen any cases of altered databases so far. If you use php scripts on your site, be sure to upgrade to the newest version while restoring the site. Old php scripts may have gotten you hacked. Also review any problematic security settings on your host, pertaining to your scripts.
Check the .htaccess file for code that shouldn’t be there. Here’s one example for reference.

Change all passwords.

Download raw logs and store if possible.

According to Netcraft, HostGator’s servers were compromised due to a 0-day cpanel exploit. Iframes redirected to a site serving up VML exploits to unlucky surfers.

Hostgator says they’ve fixed it, and there’s a fix on cpanel’s website. But any webhost that hasn’t fixed cpanel, and has an account under control of a bad guy with the exploit - is a sitting duck.

The hackings have started up again. I’ve found files with dates from September 18. And with spam comments from today.

I’ve followed one trail “home”. It ends up here:

Best Line, Inc.          admin@americaru.com
Kanevsky, Andrey
267 McClean Ave., Side apt.
Staten Island, NY 10305
US
718-521-4842  Fax:

I’ll explain how I got there.

The hacked file I found on a British webservices firm had a redirect going to mx-medicl.com. That domain had a whois which included the e-mail address enot_terra@yahoo.com. That address was created in 2001. It address can be found all over the web, as the writer of those typical free articles used for anything under the sun. The author was Kevin Whales.

The domains he says he owns while writing those articles have whois saying they belong to Andrey Kaminsky. He also writes the same type of articles, even on the same topics. He even has his own website for articles on VoIP.

There’s also a link to Asiawood. That domain was connected to several of the hackings I ascribed to him.

I don’t know if they’re hacking in a team. If one is piggy-backing on the other’s work, or how this actually happens. But what I do know, is that  mx-medicl.com are getting traffic through illegal means.

The owner of a hacked website sent me information on the hacktool (more on that later, maybe) used to turn his website into a spammy one - without his knowledge.

I downloaded his .htaccess file, and found the following code:

Basically, it makes a redirect to the bad site, if you come in from any of these search engines.

Please check your .htaccess file for foreign code!

I was tracing a spammer who used plone redirect pages (isn’t every other spammer these days?).

When I found the redirect code, it had this URL in it:

http://www.live.com/?6772716C3529285C6665675B58601F535E5B1C4F5253164A50541457574355530D4144451A4B164B464336

I knew that domain belonged to Microsoft, and I’d already established that the redirect never went anywhere near Microsoft land, so what’s up?

Turns out the javascript throws away everything before the ? and then deobfuscates the numbers. So watch out for redirects that frame innocent domains!

Just to finish what I started:

The redirect is on doorgen.com, and it redirects to canadianpharmanetwork and torontodrugstore, affiliate number 2025.

Here’s the whois:

Seicha Alok Sight (support@doorgen.com)
140-18 rue des Fontinettes
Pas-de-Calais
Pas-de-Calais,62100
FR
Tel. +33.0610720912

This spammer is on 69.31.45.250 and 69.31.45.251 on Pilosoft.

Thanks to Dirk for figuring out the javascript.

Found a link to this post on Digitalpoint:

Plone Exploit that Caused Search Engine Spam is Fixed

Interestingly, I never received any spam for carokee.com. I’ve received plenty of spam for plone pages, though.

Interesting domain name for the blog: spamspotter. But it’s a brand new blog, so we’ll see where they’re headed.

Looks like Scrimak knows we’re investigating him. He changed whois on at least two domains since yesterday. Right now he’s sporting this e-mail address: spmhuntress@mail.ru

You can see the whois progression on the Wiki page about Scrimak.

I guess we’ll find out if he’ll stop hacking or not.

I’ve received copies of what appear to be files placed on a website without the owner’s knowledge. Presumably the site was hacked.

The spammer was Asiawood.

The code looks encrypted to me, so I’ll need some help in deciphering what it does.

Any takers?

Update: I’ve confirmed hacking from Scrimak as well. And I have code samples. There’s also a possible third and fourth hacker. Either that or the same spammers, different MO.

Several people have had a look at the code. One described it as quite sloppy. The spammer is using the PHP files to pull in files from his own site. The location of that file remains invisible until you figure out the code - which you can only do by looking at the raw code. Since webhosts don’t log outgoing connections, there are no signs in the logs except for the requests by visitors - you’d catch it by looking at the files requested. One site owner compared what he found on the server with the files he had in his backup. He found even the root index.php had been altered. Some sites have alien files added in several directories - usually pre-existing directories. I found two sites that looked like a default index page, except it had spammy links on it (probably added by the owner of the site - the domain name was spammy). The sites had also been hacked - serving up files belonging to someone else!