Spamhuntress

I’m beginning to wonder if there’s a connection here.

I’ve so far found three sites hosted on Vizaweb that have files on them used by one particular spammer. One I’ve termed Asiawood, and described briefly before.

Two sites with read.php in subdirectories. Modified or uploaded just days ago:

wbpresbyterian.org
coasterdom.com (Update: Confirmed alien code not placed by site admin)
And one with a wp-read.php file:

paulinekilar.com

I’ve been unable to find any other wp-read.php files (so far), and none other spamvertized in Google.

So, what’s going on? Hacking? Deal made with the hosting company? Deal made with their customers?

Vizaweb has been hacked before, as has many other hosting companies. And we’ve had a recent slew of cpanel hackings. They have both cpanel and Fantastico on Vizaweb. If cpanel hasn’t been patched, I guess it’s possible? We’ve had some Turkish hackers spreading their propaganda, but a spammer would be better served with a less noticeable hack?

Just speculating here…

Update: I’ve since found the same spammer on other hosting companies. Two more seemingly hacked sites. One had three files used in spamming. Different file names, same spammer.

Disclaimer: I don’t know for sure that this is cross scripting. Could be done some other way. I’m just guessing, OK?

———

Update: I checked with someone who’s seen a lot of …stuff.

He says one of the cases (probably by another spammer than the one I wrote about in the rest of this post) I showed him had to have been done by using a redirect in .htaccess, and a script.

The URL in question was:

http://www.blogshub.com/help/1/didrex-online-rx.html

That URL is broken, because the spammer’s site no longer contains those files. It was rigged to call

http://www.blogshub.com/help/1/script.php

And no matter what file name you came in with, the script would send you to the corresponding file on ebestdrugs.com.

My source thinks the site owner made a deal with the spammer, while my hypothesis was that the site was hacked. Basically, we can’t tell from the outside.

———

I found a read.php script that appears to have been cross scripted. I tried a random keyword, and it returned the same spam as with the URL’s I found in Google (the owner of the site has been notified).

The script returned a redirect on this site: t3search.net
That then sent back a file from this site: search-vip.net

The whois info seems fake, but contains this e-mail address: scrimak@mail.ru

Abates already had a story on that spammer.

I took the time to read the Russian traces the spammer had left behind. Turns out he sells doorway scripts and “spamilki”. In other words, spamming scripts. And his first name is Dimas, according to his ICQ page: 227922772

Payoff links are klik.php at 64.111.210.10

The website of the Western Boulevard Presbyterian Church in Raleigh, has what appears to be a rogue file on their website

A file that was uploaded September 4, 2006:

http://wbpresbyterian.org/contact/read.php

I’ve received several pieces of comment spam referencing that file and certain keywords. When those keywords are attached, the file serves as a spammy redirect.

There’s no e-mail address available to notify the church, so I called them. Twice. The office administrator hung up on me. Twice. I have no idea what to think, except at the very least, her handling of the situation was very rude. I managed to explain the situation roughly, but didn’t get far enough to tell her what the file was.

I wasn’t planning on making this public, but the behavior I encountered was bizarre enough, I just have to get some answers.

Did she think I was crank calling? Did she know about it already? If so, why’s the file still there?

And did the spammers hack their site?

Here’s what I know about the spammers:

The spammers are using proxies instead of spambots.

The javascript redirect goes through this site:

more777.info

And it redirects to bettingcasinosite.com. Both sites have basically the same whois:

Registrant:
N/A
Michael (info@asiawood.ru)
Lenina, 6
Kurgan
null,640000
RU
Tel. +7.9128351001

Creation Date: 12-Aug-2006
Expiration Date: 12-Aug-2007

Domain servers in listed order:
ns2.bettingcasinosite.com
ns1.bettingcasinosite.com

I found that e-mail address elsewhere on the net. Translated with Babelfish from http://wood.yondi.ru/inner_id_60400_c_firms_page_4.phtm
Export of construction lumber into the countries of Asia. Form of the activity: Wholesale trade Price- sheet the address: 640022, Kurgan region, Kurgan, Polovinskaya ul, 10a bodies: (3522) 578302 fax: (3522) 578344 e-mail: info@asiawood.ru

The payoff links are go.php on 66.230.172.114

——–

Update: I found several sites with read.php used for spammy redirect. And a mention of a version of Phorum being vulnerable to cross site scripting. That might be what happened to that church - except what was that file doing there in the first place? It didn’t appear to be in use. So how was it found?

Trac 0.10b1 ticket system by Edgewall Software is susceptible to spammy redirects.

Check out this ticket (Update: The administrator removed the attachments) on the lighthttpd site.

Two of the attachments are placed by spammers.

When ?format=raw is placed behind the URL, the redirects work. And that’s what the spammers spamvertize.

In this case, the spammers seem to use regular javascripts on another host to do the redirect.

The developers have been notified.

Check out the scope of the problem by using this Google search.

I’ve found a number of spam pages on Plone installations that include protection against spamfighters and other irate people.

Simply put, if you access the documents uploaded by the spammers directly, or not from a search engine link, you’re treated to a message that insists the page doesn’t exist.

It’s fake. Done by javascript.

There are still a lot of susceptible installations there. Go visit the Plone community NOW for an update, and block search engine spiders from your Member uploads directory by using robots.txt, now!

Other people discuss this:

Performancing

Plone-website list 

I just checked a random blogspot spam URL. It had a working redirect. And I realized several webservices could block by a pattern I recognized:

This is the code for document.location:

100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110

Spammers usually change it, so it might look like this:

100!111!99!117!109!101!110!116!46!108!111!99!97!116!105!111!110!

Scan and block by that pattern, and you tag quite a lot of spam, but not all

I just got a comment spam from a spammer who uploaded a document to the Member section of a Plone installation.

The redirect didn’t work, but that particular installation had been spammed by several spammers, and I eventually found a redirect that did work.

I notified one of the main Plone developers. They told me they’d discovered the problem and fixed it several days ago. So those with a Plone installation can go get the fix. But I would still use robots.txt, just to avoid sloppy spammers…

What I would do if I had a Plone installation, I’d use robots.txt and make sure the member directories were off limits to search engines. Do that early enough, and the spammers will never bother you. Do it too late, and you still have to clean up every day until they move on. But at least the embarassing stuff the spammers uploaded will fall out of the search engines after a short while, eh?