HTML Spam Links Injection

Forum Moderators: open

Message Too Old, No Replies

HTML Spam Links Injection

hidden spam links injected into web pages

Ferryman

12:04 pm on Dec 1, 2006 (gmt 0)

I have become aware that a hidden list of spam links were inserted at
the end of several of my web pages a few days ago. My web host claims that my FTP password must have been cracked but I am sceptical of this explanation. The links pointed to what has now been confirmed as a compromised computer at uchicago.edu and were then redirected to <snip> which has further links to <snip> . The links related to drugs.

A Google search for "how long does a particular drug stay in the body" reveals that a large number of blog sites have that drug comment spam. However what I am reporting is HTML pages altered presumably by a script to include spam links. Is this a new as yet unreported strategy by spammers?

Please check your web pages for spam link injection. The links are hidden so you must check the source for alterations.

[edited by: engine at 2:22 pm (utc) on Dec. 1, 2006]
[edit reason] Specifics. See TOS [webmasterworld.com] [/edit]

jk3210

12:34 pm on Dec 1, 2006 (gmt 0)

I found one three years ago that was linked from a period (".") at the end of a sentence.

jecasc

12:42 pm on Dec 1, 2006 (gmt 0)

Welcome to webmasterworld Ferryman.

If your pages are pure HTML and not dynamically generated by some scripting language the most likely explanation would be that the files were uploaded through your FTP account. Perhaps you can check the logfiles to find out. You can also check the "Last modified date" to see when the change happened.

If you are using a scripting language like PHP and the content is stored in a database it could also be a SQL Injection vulnerability.

Ferryman

1:32 pm on Dec 1, 2006 (gmt 0)

Jecasc,
The pages are pure HTML. Log suggests that the alterations were made by FTP from <snip> . I find it hard to believe that my password was cracked but I have, of course, now changed it.

I am concerned that passwords may not held securely on my web host's Apache server.

[edited by: engine at 2:23 pm (utc) on Dec. 1, 2006]
[edit reason] See TOS [webmasterworld.com] [/edit]

jecasc

2:00 pm on Dec 1, 2006 (gmt 0)

Let me guess: Your password was either a dictionary word or name or was rather short (5 or 6 digits).

If your host does not have a limitation on how many wrong login request can be made a brute force attack is normally succesful within minutes.

rocknbil

7:56 am on Dec 3, 2006 (gmt 0)

Also consider that it may not even BE your FTP. If someone roots a box - that is gains root access - ALL the domains or home pages hosted on it are at risk. Yours may just be one altered site in a series hosted with that company.

Chasing the IP origin is unlikely to lead to the source. Many of these are done in "hops" - hack into one box, from there telnet/log in to another, etc., sometimes five or more hops, all compromised machines. In order to track it you need the cooperation of all ISP's involved in the path, and if it goes unnoticed for any length of time this may not even be possible. The logs get archived or deleted and it's just not a priority sometimes.

If your FTP was a plain text pass, assume it's you. If it was a r3@1¦yg0Od1, find another host.

MatthewHSE

7:31 pm on Dec 5, 2006 (gmt 0)

From what I understand, FTP passwords are sent in cleartext anyway, making them visible to packet sniffers (or something like that). I was advised to always use SFTP (Secure FTP) instead of plain FTP, and have done so for quite some time now.

Crush

10:30 pm on Dec 6, 2006 (gmt 0)

xxs. A lot of BH use edu domains to get indexed ATM. they do nt need to hack your server.