Category: Website Security

SG Managed Provides Hosting For Important Spam Hack Component

SG Managed is providing hosting for c4412d2ffc4bf832.info, which is an important component of a spam hack that has affected a large number of Zen Cart based websites. The website is one of eight that the hacked websites attempt to retrieve a file containing a set of spam links to display when search engines request pages from the website. This website is the only one currently active and if the hosting was shut off the hacked websites would no longer contain spam links unless new hosting could be found. We contacted SG Managed about the issue several weeks ago, we have received no response and the website is still being hosted by them. When we contacted another host who had been providing service for another website used by the hack they shut down the service within a hour.

We are currently in the process of contacting the websites that have been affected.

The Planet Hosts Critical Component of SEO Poisoning Campaign

The Planet, a large US hosting provider, provides hosting for two websites that are critical for a major SEO poisoning campaign. SEO poisoning involves getting web pages listed in search engines that when accessed attempt to infect the computer with malware. This particular campaign involves two sets of hacked websites and the websites hosted by The Planet. The first set of websites has been hacked to display the content from a file requested from either getalllinks.info or dvc44ftgr.com when a page from the hacked website is requested by a search engine. The files from getalllinks.info and dvc44ftgr.com, hosted by The Planet at the IP address 174.133.193.218, include links to pages on the second set of hacked websites. The content of those files can be seen at http://www.getalllinks.info/links/0.txt or http://www.dvc44ftgr.com/links/0.txt. Search engines crawl those pages on the second set of hacked websites and they get included in search engines results.  When people access the pages through search engines they are redirected to fake anti-virus scanner that attempts to infect their computers with malware. Without the two domains hosted by The Planet the pages on the second set of websites are never crawled and never get included in the search results where the could be accessed by users.

We twice contacted The Planet about the issue and in both cases they took no action. The first time they claimed the issue had been already been resolved and the second time they claimed they could not find anything. We did not receive the same response when we contacted another provided who had been providing service for one of the domains. EveryDNS, which had been providing DNS service for getalllinks.info, shut off the service a day after we contacted them. Two weeks later the domain became active again after the domain starting using DNS service hosted on the same server at The Planet.

Rackspace Failed to Upgrade Software with Critical Vulnerability for 5 Months

Rackspace is the latest in a string of recent hosting provider caused hackings of client websites. Unfortunately some hosting providers continue to not take the basic steps to keep their customers secure from hack at the hosting provider level. One of the most basic security steps is keeping software updated, which Rackspace has failed to do so with at least one major software component. On January 27, phpMyAdmin, a widely used MySql database administration tool, released a security advisory warning of “critical” vulnerability in version of 2.11.x prior to version 2.11.10. The secure version of phpMyAdmin had been released month prior to the security advisorie’s release. Rackspace finally upgraded their installation of  phpMyAdmin running on their Rackspace Cloud service on June 13 and that was only after “after customer reports brought” it to their attention. Up until then, they had not updated phpMyAdmin since version 2.11.3 was released, which was back in December of 2007.  Rackspace claims that they have “reviewed and adjusted our procedures so that going forward we will do better to stay up to date with the latest security releases of phpMyAdmin”.

Google Adding Hacking Notification to Webmaster Tools

Google has announced that they will begin displaying “Notice of Suspected Hacking” messages in their Webmaster Tools when they detect that a website has potentially been hacked. The messages will provide example URLs of the hacked pages, next steps for fixing the issue, instructions on getting back into Google’s search results after the issue has been fixed. Google will also being added notifications of spammy or abused user-generated content and abused forum pages or egregious amounts of comment spam. Once you have signed up for Google’s Webmaster Tools you can instruct Google to forward these messages and other messages, including malware notifications, to an email address you select.