Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Breach on Godaddy Hosting Serves (Windows Shared Hosting Accounts)


  • Please log in to reply
23 replies to this topic

#1 Mr. Rees

Mr. Rees

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 20 November 2014 - 02:03 AM

Admins please feel free to censor, move or remove if necessary.  

 

I feel this needs to be broght to the attention of our malware alert community.  Today I discovered that my windows deluxe hosting account with Godaddy was hacked on 11-17-14.  The hack was basically a  full access to my directories including all my sub folder directories that are alias to my other sites I host.  Every directory and subdirectory that contained HTM or HTML files was modified with a footer hyperlink Data.  What makes this even more interesting is that I am not alone.  Doing some of my own Legwork being a former Network Admin I realized by keyword google search that there are numerous perhaps hundreds if not more domain names that reside on Godaddy Servers that are also hacked with the exact same circumstance that I am in.  So I would assume that there is a common issue and quite possibly a breach on godaddy's side.  I have yet to see if there are common setups such as wordpress, joomla or other scripts that have the potential to be a way for an attack like this to happen.  However I removed all of my joomla based hosting due other unrelated issues and moved them to my linux hosting servers.  All I have left on my windows hosting is some old custom asp scripting and some custom PHP scripts that I wrote.  Its possible that these could be a path of compromise but I have a hunch that this hack was done from another direction.  Here is my reason why.  

 

Following is the hyperlink data that is placed on each of the HTML files in my hosting accound (Warning DO NOT VISIT THESE SITES, MANY OF THESE SITES ARE MALWARE INFECTED!!!!!!),      The follwing code is also on the numerous other infected sites hosted with GOdaddy.

<div style="position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10;"> <a href="http://www.glangels.org/"><b>michael kors black Friday</b></a> <a href="http://www.cleardocketinc.com/"><b>Babyliss cyber Monday</b></a> <a href="http://www.perignemcrossfit.com/"><b>Oakley black Friday</b></a> <a href="http://www.milwaukeekayak.com/"><b>uggs cyber monday</b></a> <a href="http://louisvillemeadcompany.com/"><b>dior black friday</b></a> <a href="http://www.mopac.com"><b>uggs black friday</b></a> <a href="http://friendsofcostco.org/"><b>uggs cyber monday</b></a> <a href="http://www.turkeycreekgolf.com/"><b>polo black friday</b></a> <a href="http://bookforward.net/"><b>canada goose cyber monday</b></a> <a href="http://www.paulpatrickelectric.com/"><b>Tiffany cyber Monday</b></a> <a href="http://www.orangecountyfairspeedway.net/"><b>uggs cyber monday</b></a> <a href="http://www.heavenlyfinancing.com"><b>Uggs Black Friday </b></a> <a href="http://www.needleworkdesigners.com/"><b>lululemon black friday</b></a> <a href="http://www.achca-scchapter.org/"><b>beats by dre black Friday</b></a> <a href="http://www.bikemastersmiami.com/"><b>louis vuitton black Friday</b></a> <a href="http://squireshoppe.com/"><b>canada goose cyber monday</b></a> <a href="http://elkhartmunicipalband.com/"><b>north face black friday</b></a> <a href="http://plattevillesoccer.org/"><b>pandora black Friday</b></a> <a href="http://raisedvisualmedia.com/"><b>north face cyber monday deals</b></a> <a href="http://jennchase.com/"><b>north face black friday</b></a> <a href="http://www.mtfernumcnj.org/"><b>north face black friday</b></a> <a href="http://www.greenfieldfirstbaptist.com/"><b>uggs black friday</b></a> <a href="http://www.goldcrownenrichment.org/"><b>michael kors black Friday</b></a> <a href="http://www.nbpcitizensacademy.org/"><b>north face cyber monday deals</b></a> <a href="http://estatebuyers.com/"><b>Mulberry cyber monday</b></a> <a href="http://www.monumentfoods.com/"><b>canada goose black friday</b></a> <a href="http://www.santancrownrotaryclub.com/"><b>michael kors black Friday</b></a> <a href="http://smt-1.com/"><b>north face black friday</b></a> <a href="http://sakealbany.com/"><b>uggs black friday</b></a> <a href="http://www.ashevillecottages.com/"><b>canada goose black friday</b></a> <a href="http://www.divinemercycatholic.com/"><b>beats by dre cyber Monday</b></a> <a href="http://www.poolonthenet.com/"><b>beats by dre cyber Monday</b></a> <a href="http://www.perignemcrossfit.com/"><b>Ray Ban black Friday</b></a> <a href="http://www.frankfortsunshinecenter.org/"><b>uggs cyber monday</b></a> <a href="http://www.daveedwardsevents.com/"><b>uggs black friday</b></a> <a href="http://www.riversideflowershow.info/"><b>beats by dre black Friday</b></a> <a href="http://www.vietventures.com/"><b>black Friday beats by dre</b></a> <a href="http://www.artisanvoice.com/"><b>north face black friday</b></a> <a href="http://www.ohvacoustics.com/"><b>kate spade black friday</b></a> <a href="http://www.diskbytes.com/"><b>coach black friday</b></a> <a href="http://labsuic.org/"><b>mcm cyber monday</b></a> <a href="http://www.cerevesleep.com/"><b>michael kors black Friday</b></a> <a href="http://www.lucienne-repweave.com/"><b>beats by dre cyber Monday</b></a> <a href="http://labsuic.org/"><b>celine cyber monday</b></a> <a href="http://www.laroccaseafood.com/"><b>michael kors black friday</b></a> <a href="http://troysecuritysolutions.com/"><b>kate spade cyber monday</b></a> <a href="http://www.planetskills.com/"><b>kate spade black friday</b></a> <a href="http://www.wilmingtonbands.org/"><b>Longchamp black friday</b></a> <a href="http://www.netcorinteriors.ca/"><b>beats by dre cyber Monday</b></a> <a href="http://www.moudysbarandgrill.com/"><b>uggs cyber monday</b></a> <a href="http://www.plasticendplugs.com/"><b>uggs cyber monday</b></a> <a href="http://apollocomputing.com"><b>uggs black friday</b></a> <a href="http://www.santancrownrotaryclub.com/"><b>michael kors black Friday</b></a> <a href="http://www.theberryhillgroup.com/"><b>uggs cyber monday</b></a> <a href="http://purejoysalonandspa.com"><b>uggs cyber monday</b></a> <a href="http://www.thepetstep.com"><b>uggs black friday</b></a> <a href="http://hd-plumbing.com"><b>uggs black friday</b></a> <a href="http://andreycha.info/"><b>uggs black friday</b></a> <a href="http://www.rockdaleclerk.com"><b>uggs cyber monday</b></a> <a href="http://www.statsboston.com/"><b>michael kors black Friday</b></a> <a href="http://refugeesuccess.org/"><b>beats by dre cyber Monday</b></a> <a href="http://jennchase.com/"><b>north face black friday</b></a> <a href="https://www.theloancoach.com/"><b>north face black friday</b></a> <a href="http://www.spygame.com/"><b>beats by dre black Friday</b></a> <a href="http://www.robertkoke.com/"><b>beats by dre cyber Monday</b></a> <a href="http://www.exterapartners.com/"><b>north face cyber monday</b></a> <a href="http://www.gensysresearch.com/"><b>beats by dre black Friday</b></a> <a href="http://www.gensysresearch.com/"><b>beats by dre cyber Monday</b></a> <a href="http://www.riversideflowershow.info/"><b>beats by dre black Friday</b></a> <a href="http://www.brookwoodtownhouses.com/"><b>north face cyber monday</b></a> <a href="http://www.thebestlittlesandwichshop.com/"><b>uggs cyber monday</b></a> <a href="http://www.wahsh.com/"><b>michael kors black friday</b></a> <a href="http://www.hoodcanalscots.org/"><b>michael kors cyber monday</b></a> <a href="http://www.simonwilches.com/"><b>michael kors cyber monday</b></a> <a href="http://www.santancrownrotaryclub.com/"><b>michael kors black friday</b></a> <a href="http://www.aracbakersfield.com/"><b>uggs cyber monday</b></a> <a href="http://www.stick-aid.com//"><b>uggs cyber monday</b></a> <a href="http://www.simonwilches.com/"><b>michael kors cyber monday</b></a> <a href="http://www.wahsh.com/"><b>michael kors black friday</b></a> <a href="http://bucksonmayflower.com/"><b>uggs cyber monday</b></a> <a href="http://www.bojonospizza.com/"><b>uggs black friday</b></a> <a href="http://www.dluxtraining.com/"><b>uggs black friday</b></a> <a href="http://www.harborcountryopera.org/"><b>uggs cyber monday</b></a> <a href="http://www.nbpcitizensacademy.org/"><b>north face black friday</b></a> <a href="http://parkview-pilates.com/"><b>uggs cyber monday</b></a> <a href="http://jennchase.com/"><b>north face cyber monday</b></a> <a href="http://www.bisericasfdimitriecelnou.com/"><b>north face black friday</b></a> <a href="http://www.cyfaircert.org/"><b>uggs cyber monday</b></a> <a href="http://www.thejogtog.com/"><b>uggs black friday</b></a> <a href="http://www.artisanvoice.com/"><b>north face cyber monday</b></a></div>

Note this Block of Hyperlink data was inserted right before the close of the </body> tag.  Every website directory and sub directory contained in my hosting account that contained HTML or HTM files was hacked with this footer code.  Using keywords of this data in a google search showed that my hosting account was not alone!

 

If you were to view a site with the footer data you would be basically see a bunch of hyperlinks.  Makes not sense at all besides maybe someone would click on it but knowing exactly what the hackers  intention was made me go out and google search the keywords to confirm my assumption.  AFter finding pages of hacked websites I discovered a common connection to all of these sites.  

 

Below is a a sample ping report of sites that were hacked and inflated with hyperlink data:

 

 

 

C:\WINDOWS>ping www.itgnei.com
 
Pinging itgnei.com [184.168.152.4] with 32 bytes of data:
 
Reply from 184.168.152.4: bytes=32 time=57ms TTL=121
Reply from 184.168.152.4: bytes=32 time=60ms TTL=121
Reply from 184.168.152.4: bytes=32 time=60ms TTL=121
Reply from 184.168.152.4: bytes=32 time=61ms TTL=121
 
Ping statistics for 184.168.152.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 57ms, Maximum = 61ms, Average = 59ms
 
C:\WINDOWS>ping bearrivernet.net
 
Pinging bearrivernet.net [184.168.27.34] with 32 bytes of data:
 
Reply from 184.168.27.34: bytes=32 time=58ms TTL=121
Reply from 184.168.27.34: bytes=32 time=60ms TTL=121
Reply from 184.168.27.34: bytes=32 time=60ms TTL=121
Reply from 184.168.27.34: bytes=32 time=63ms TTL=121
 
Ping statistics for 184.168.27.34:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 58ms, Maximum = 63ms, Average = 60ms
 
C:\WINDOWS>ping bannockcountybluegrassfestival.com
 
Pinging bannockcountybluegrassfestival.com [184.168.27.34] with 32 bytes of d
:
 
Reply from 184.168.27.34: bytes=32 time=58ms TTL=121
Reply from 184.168.27.34: bytes=32 time=62ms TTL=121
Reply from 184.168.27.34: bytes=32 time=58ms TTL=121
Reply from 184.168.27.34: bytes=32 time=58ms TTL=121
 
Ping statistics for 184.168.27.34:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 58ms, Maximum = 62ms, Average = 59ms
 
C:\WINDOWS>ping crossofchrist.org
 
Pinging crossofchrist.org [184.168.152.4] with 32 bytes of data:
 
Reply from 184.168.152.4: bytes=32 time=82ms TTL=121
Reply from 184.168.152.4: bytes=32 time=61ms TTL=121
Reply from 184.168.152.4: bytes=32 time=57ms TTL=121
Reply from 184.168.152.4: bytes=32 time=59ms TTL=121
 
Ping statistics for 184.168.152.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 57ms, Maximum = 82ms, Average = 64ms
 
C:\WINDOWS>ping lakechelanmicrobrewery.com
 
Pinging lakechelanmicrobrewery.com [184.168.27.44] with 32 bytes of data:
 
Reply from 184.168.27.44: bytes=32 time=58ms TTL=121
Reply from 184.168.27.44: bytes=32 time=77ms TTL=121
Reply from 184.168.27.44: bytes=32 time=60ms TTL=121
Reply from 184.168.27.44: bytes=32 time=59ms TTL=121
 
Ping statistics for 184.168.27.44:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 58ms, Maximum = 77ms, Average = 63ms
 
C:\WINDOWS>ping www.coulterrealestate.com
 
Pinging coulterrealestate.com [184.168.27.34] with 32 bytes of data:
 
Reply from 184.168.27.34: bytes=32 time=62ms TTL=121
Reply from 184.168.27.34: bytes=32 time=58ms TTL=121
Reply from 184.168.27.34: bytes=32 time=63ms TTL=121
Reply from 184.168.27.34: bytes=32 time=66ms TTL=121
 
Ping statistics for 184.168.27.34:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 58ms, Maximum = 66ms, Average = 62ms
 
C:\WINDOWS>ping www.amkotronusa.com
 
Pinging amkotronusa.com [184.168.46.18] with 32 bytes of data:
 
Reply from 184.168.46.18: bytes=32 time=71ms TTL=121
Reply from 184.168.46.18: bytes=32 time=75ms TTL=121
Reply from 184.168.46.18: bytes=32 time=75ms TTL=121
Reply from 184.168.46.18: bytes=32 time=78ms TTL=121
 
Ping statistics for 184.168.46.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 71ms, Maximum = 78ms, Average = 74ms
 
 
Notice all of the IP's are similar?  Just so happens my domain is also falls into one of these IP's. And it just so happens these are Godaddy Hosting IP's  So now it make total sense and also make me wonder we may have a possible breach.  The hackers attempt is to artificially trick search engines to index Popular Holiday Search Terms to polluted sites in hopes to artificially get there links to the top of search results.  In essence If I search for "beats by dre Cyber Monday" I would have a good chance finding one of these infected sites and perhaps load of a nasty malware or benifit a criminal in a far away land.  
 
Please be careful and DO NOT visit any of these sites.  I feel its my duty to report this and not too often to I play detective unless I am a victim.  

Edited by Mr. Rees, 20 November 2014 - 02:07 AM.


BC AdBot (Login to Remove)

 


#2 Mr. Rees

Mr. Rees
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 20 November 2014 - 02:46 AM

I did call tech support.  They are looking into this.  THey feel that this was most likly a FTP hack.  It certainlty possible.  But what concerns me is that if this was a FTP hack then wouldnt other hosting sites be affected?  So far all the sites with this inflated HTML hyperlink data are all coming up as Godaddy Hosting IPS's  Even more interesting is that they are all so far the IIS7 Servers (by using mydnstools).

 

So FTP hacking????  Perhaps...... but am I the only one to think that this is a possible breach?  


Edited by Mr. Rees, 20 November 2014 - 02:47 AM.


#3 Mr. Rees

Mr. Rees
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 22 November 2014 - 12:54 PM

I have found several hundred sites that are affected by this breach or hack.  All of these sites that are hacked are pointing to sites that have some form of malware. I believe the ultimate goal of the hackers is to increase the search results of their compromised sites and take advantage of the holiday shoppers .    Any expert who can help identify the malware the hacked sites are pointing too?  I also noticed that some hacked sites are doing redirects to other websites that could possibly be doing malicious behavior.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:28 AM

Posted 23 November 2014 - 12:36 PM

There is another pattern pointing to GoDaddy. All the domains of the URLs you posted (from your compromised html pages I assume) resolve to 29 different IP addresses.

27 of those 29 IP addresses are GoDaddy's.

 

How did you establish that these websites are hosting malware?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Mr. Rees

Mr. Rees
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 23 November 2014 - 08:26 PM

I established the claim of malware from google search warning me that the site contains malware.  But also using Sucrui has validated that not only do these sties contain SEO spam infections but some of them are also suspected of hosting malware, Looking into it further it appears that its a possible iframe hack using java methods to load the malware.  

 

I am Not sure how long this link will show the site infected but as of this posting it still is:

 

http://sitecheck.sucuri.net/results/www.bwaysmiles.com 

 

Doing more research using parts of the spamdexing code has also found that the hacker was doing this attack on IIS servers. a couple of months ago this same hack was done on some other IIS servers using similar shopping key words (but without the black friday cyber monday)  The following link shows someones IIS based hosting account having their HTML files modified

 

https://productforums.google.com/forum/#!topic/webmasters/eWT37SHRMuQ

 

What I have also found searching is a claim from a hacker containing the same code used in these breaches/hacks.  So I possibly know the hacker responsible for these attacks.

 

If anyone needs more info PM me.  Thanks



#6 Mr. Rees

Mr. Rees
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 23 November 2014 - 08:48 PM

Do a google search on these keywords without quotes (you must use all of these words in the exact order) :

 

babyliss black friday Oakley black friday uggs cyber monday

 

Now look at the search results.  You should see that most of the numerous search pages contain sites with these key words (hacked with spamdexing).  All of these sites listed that I have tested are IIS servers on Godaddy.  But after further research and finding out this hack was done a couple months ago to some other server (not godaddy), it appears this is a IIS Venerability.  I highly doubt this is FTP, or vunerable PHP, ASP files being hacked, I really think this is a hack targeting IIS servers via HTTP/S .  

 

One interesting note is about a week before my HTML was hacked on Godaddy  there was a random generated named .asp file created on my windows hosting account.  opening this file via browser showed timestamp info.   Odd.......  not sure if it has anything to do with this attack.

 

One more note.  Some sites with these keywords listed and hacked have also been doing redirects to actual product websites.  I have not discovered the reasoning behind this behavior.


Edited by Mr. Rees, 23 November 2014 - 09:02 PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:28 AM

Posted 25 November 2014 - 02:56 AM

I took a quick look on the first sites, but I don't see malware, but black SEO.

 

I take Sucuri's report with a grain of salt. They detect malware on the site, but if you look at the details, they say "potential malware" and don't have the malware sample.

And if you point their sitecheck to a well-known site, like Microsoft, they also find issues.

I think they are a bit biased because they have a product to sell.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 codeclown

codeclown

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 25 November 2014 - 04:56 PM

My Godaddy hosted site was infected with this. It's also running IIS and had exactly the issues described. From what I can tell the script that runs to infect .html and .htm files is /default.asp. I believe this script is run when a root fetch is made ie. http://mywebsite.com. Perhaps this type of mechanism is already well known. Of course this wouldn't be possible if the script were not somehow placed into the site file system which is the core concern. I've cleaned my site from the infection for now...

 

I contacted Godaddy customer support to discuss it with one of their online support team. I outlined the issue as I saw it and asked if they were aware of the problem at all or any security issues with backdoors to IIS etc. He copy & pasted a default "your site's security and password are your responsibility" message and suggested I purchase one of their malware scan packages! Needless to say I was not overly impressed with this but figured they would respond like this. He said they had not heard of the issue yet and I stressed that I would like their tech team to investigate. Who knows if they will follow through. I gave them this forum thread URL to read through.

 

Will be watching my site for the next few weeks diligently to see if the scripts reappear. If they do I fear there's little option but to go through the pain of moving to another hosting service.



#9 Mr. Rees

Mr. Rees
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 November 2014 - 01:06 AM

I took a quick look on the first sites, but I don't see malware, but black SEO.

 

I take Sucuri's report with a grain of salt. They detect malware on the site, but if you look at the details, they say "potential malware" and don't have the malware sample.

And if you point their sitecheck to a well-known site, like Microsoft, they also find issues.

I think they are a bit biased because they have a product to sell.

 

 

Your correct, looking into the sucuri in detail I looked at the java code and it appears the HTML is less malicious and more to try to lure people to specific legitimate looking websites.  However what goes beyond the site has many possibilities.   

 

But CodeClown has the most important point, and that is this could happen again.  I hope to find out what vulnerability this was and if this is somthing new.   =



#10 codeclown

codeclown

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 26 November 2014 - 01:55 AM

 

I took a quick look on the first sites, but I don't see malware, but black SEO.

 

I take Sucuri's report with a grain of salt. They detect malware on the site, but if you look at the details, they say "potential malware" and don't have the malware sample.

And if you point their sitecheck to a well-known site, like Microsoft, they also find issues.

I think they are a bit biased because they have a product to sell.

 

 

Your correct, looking into the sucuri in detail I looked at the java code and it appears the HTML is less malicious and more to try to lure people to specific legitimate looking websites.  However what goes beyond the site has many possibilities.   

 

But CodeClown has the most important point, and that is this could happen again.  I hope to find out what vulnerability this was and if this is somthing new.   =

 

 

 

I've been unable to pinpoint much in the way of what this thing is, what it's called or anything conclusive. Seems under the radar at present.

Edit: Black(Hat) SEO or similar may be of interest.

Edit2: paintUndersideOfFox was in the default.asp file IIRC


Edited by codeclown, 26 November 2014 - 02:09 AM.


#11 Mr. Rees

Mr. Rees
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 November 2014 - 02:35 AM

I google searched this term (the css code used in the link spam)  

<div style="position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10;">

not to far down the search results there is one defaced website hacked by A** T***** (now down) .  I want to say it was IIS when I was first checking it out , but can't confirm now that its down.  Not sure if this Hacker has anything to do with it but its a coincidence that a site he defaced was also using this exact  same CSS code to hide content.    

 

Your thoughts?



#12 codeclown

codeclown

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 26 November 2014 - 02:46 AM

Right I noticed that code too. It's basically inserting a bunch of bogus links at the end of the <body> with next to zero opacity - presumably to force any optimisers off - you can select all the page or hover your mouse over the bottom of the page to see the links.

 

In any case, I'm not in my element with this stuff. Didn't follow you on the defaced site. The only positive thing is it doesn't seem to be malicious but rather search ranking oriented.



#13 Mr. Rees

Mr. Rees
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 November 2014 - 02:54 AM

I Jumped the gun on the Malware statement because google search results were identifying some of the html links as malware..   Plus getting same results from the Sucuri site.  After taking closer look at the java its full intention is to get as much traffic to specific site(s)  However with this type of aggressive method I would only think the end result would be malicious and end up taking advantage of people through online fraud or other forms of cyber crime.  



#14 codeclown

codeclown

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 26 November 2014 - 03:24 AM

They're trying to set up a pool of interconnected links that ultimately point to a handful of target sites. That's where the culprit will be.



#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:28 AM

Posted 26 November 2014 - 07:37 PM

You upload files to your GD site with FTP. What's your FTP client?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users