Of Cracks, Cloaked Pages and Search Engines

Posted on Tuesday, 20th March 2007 by Tony.
Categories: Geek, Miscellaneous.

Apologies to the photographic crowd that follow this, but I needed to take a geeky sidetrack for this post. I’ve been helping a few friends with websites clean up the remnants of various crackers that have been by their website in the past. To be honest, the hack is quite unsophisticated but the results are quite impressive. I’m not going to go in to details here, but suffice to say that by exploiting an old hole (probably in XML RPC or similar) the abusers are adding various .php files which blend in with the applications surrounding it, files are often named in such a way that people that are less technical tend to be reluctant to delete them (messages.php, includes.php, time.php, date.php, etc). Again I’m not going to go into the details of what the files contain but they are quite short, just a few lines of code. Additionally there are .htaccess files that are planted for various redirect and rewrite services.

So to what end? Well basically these guys all run search pages with “clickthru” value links and drive traffic to the their sites by bouncing traffic thru your webpages. In other words; they will submit a page to google for example, the link they submit will be full of the most heavily searched terms (usually warez, porn and cracks) but because they can only submit their site to Google a single time, they have to use pages externally. So they compromise (break into illegally) servers and infect them. So the result that comes up in Google when someone searches for a porn phrase for instance will look like this http://www.yourwebsite.com/mambo/time.php/porn+search+here where that last part is the search the user put into Google, the first part is your website, and as mentioned earlier the time.php is an infected file placed on your website by the crackers. The infected file rewrites the URL and redirects it to their income generating website in the hope that someone clicks the links (which they often do).

Have any of these people been caught yet? I have no idea, but surely if they do at the very least it’s obtaining money by deception (fraud) in any country aside from any computer violation and misuse laws that may be in place.

There are ways to avoid this happening, mostly revolves around vigilance and being aware of the files in your website (be aware of new files recently added when you’ve not updated your site in a while). There are software programs like Tripwire, that can alert you when stuff like this happens, but are beyond the average user. A more detailed explanation is beyond the scope of this weblog, but if you’ve been cracked, your circumstances may differ greatly and any cracked server requires proper forensic examination to check if anything else has been compromised. The guys that do this, thrive on complacence, try to be aware of what’s happening on your website. Good Luck.

no comments yet.