How does it work? The hackers use an SSH or CMS exploit to gain root access and then install a small module that watches the web server’s traffic over time. When you visit the site normally you’ll see absolutely nothing amiss, even in the source code. For example, the University of the West’s website returns a regular web page and shows no problems in the source. However, when you do a web search for uwest.edu and viagra, you get the infected pages. This indelibly links the potentially popular and trustworthy uwest.edu with the spammer’s URLs.
Our contact at Sucuri.net, David Dede, sent us a partial list of hacked sites:
www.jchs.edu
www.jmkac.org
www.legal-library.co.uk
www.linnean.org
www.master-photonics.org
www.menshealthnetwork.org
www.moc.edu
www.mulchblog.com
www.no-fuel.org
www.oecs.org
www.prairiepublic.org
www.projectapproach.org
www.renewable-energy-watch.org
www.savethewildup.org
www.thedigest.com
www.tumenprogram.org
www.uinteramericana.edu
www.umoncton.ca
www.unionsportsmen.org
www.uwest.edu
www.wcwonline.org
Most of the hacked accounts are .edu domains that are rarely maintained or updated.
What can you do if you’re hacked? Well, first update all of your passwords, hit the gym, wipe and reinstall your webserver, and install the latest version of your favorite CMS. Unfortunately, the only way to tell if your site is affected is to visit it through Google with the search term “viagra” or any similar phrase. This same hack will also install malware in some rare occasions (CrunchGear, I believe, was recently hit) so that is another major concern.
The groups or individual hackers are fairly diligent. David reports that “I saw some of their scripts and they have a list of 20+ vulnerabilities that they try on every site. Once they are inside, they create shells, backdoors and things like that.” Might make a good pre-holiday week project to lock down your server over the next few days.
0 0 9 9
Authors: John Biggs