The Planet, a large US hosting provider, provides hosting for two websites that are critical for a major SEO poisoning campaign. SEO poisoning involves getting web pages listed in search engines that when accessed attempt to infect the computer with malware. This particular campaign involves two sets of hacked websites and the websites hosted by The Planet. The first set of websites has been hacked to display the content from a file requested from either getalllinks.info or dvc44ftgr.com when a page from the hacked website is requested by a search engine. The files from getalllinks.info and dvc44ftgr.com, hosted by The Planet at the IP address 126.96.36.199, include links to pages on the second set of hacked websites. The content of those files can be seen at http://www.getalllinks.info/links/0.txt or http://www.dvc44ftgr.com/links/0.txt. Search engines crawl those pages on the second set of hacked websites and they get included in search engines results. When people access the pages through search engines they are redirected to fake anti-virus scanner that attempts to infect their computers with malware. Without the two domains hosted by The Planet the pages on the second set of websites are never crawled and never get included in the search results where the could be accessed by users.
We twice contacted The Planet about the issue and in both cases they took no action. The first time they claimed the issue had been already been resolved and the second time they claimed they could not find anything. We did not receive the same response when we contacted another provided who had been providing service for one of the domains. EveryDNS, which had been providing DNS service for getalllinks.info, shut off the service a day after we contacted them. Two weeks later the domain became active again after the domain starting using DNS service hosted on the same server at The Planet.