Note: This post is a followup to the one here describing a coordinated attack on sites running WordPress.

My friend’s WordPress sites are still partly out of commission, following the sophisticated attack by pharma spammers that I talked about a few days back. Google has listed them again, though Google’s cache still shows some of the pharma spam. I’ve been continuing to investigate the attacks, and I’ve learned some new and interesting things about these attacks…including the fact that they are moving beyond WordPress and beginning to target another popular open-source platform, Joomla.

The first thing I did was start compiling a list of sites which have been compromised by this particular hack attack. To do this, I used Google’s site: command to get a listing of what my friend’s site looked like from Google’s point of view. The site: command can be used to get a list of how Google has indexed a site; for example, if you type

site:xeromag.com

into Google, you’ll see how it has indexed all the pages of my site. Next, I took unusual words and phrases from the pharma results in Google, and searched for those exact phrases. This gave me a list of tens of thousands of sites.

I then went down that list looking at each site. If I didn’t see any trace of the pharma spam keywords in the site, I did a second Google search, this time using that site and those same pharma spam keywords. I clicked on the Google link for those results and watched what happened. If I got redirected to a pharmacy page via a redirector at googl-analize.in, I knew it was the same attack, and I added that site to my list.

For example, here is what happens if you type

site:gregatkinson.com

(one of the hacked sites I found) into a Google search.

If you click on any of those links, you will not see any pharma spam. However, if you do the search AGAIN, this time using

theophylline site:gregatkinson.com

as your search term and you click on any of the links, you’ll be redirected to a pharmacy spam page.

Once I had built a list of affected sites, I then looked to see who their Web host was, and what content management software they were running. Nearly all of the sites were running WordPress, most of them fully updated and patched.

Nearly all. Not quite all, however. Some of the sites I found, I discovered, were running Joomla. This surprised me, and I think it helps rule out a zero-day exploit in WordPress as the attack vector. unless we are to believe that this one group of hackers has found and is exploiting identical zero-day flaws in both WordPress and Joomla and are attacking them the same way, which is possible but unlikely, I think the logical conclusion is that the attack vector is somewhere else.

Here’s the list of hacked sites that have all been attacked by he same person or persons who attacked my friend’s site that I’ve compiled so far:

www.corneliamarie.com (host: cloudflare.com)
truflun.net (host: bluehost.com)
www.leeloo.com.au (infected shopping cart too; using old WP) (host: netregistry.com.au)
www.amigosdaterra.net (host: dinahosting.com)
www.frankadam.be (host: dreamhost.com)
www.veryediblegardens.com (not using WP?) (host: dreamhost.com)
www.kevjumba.com (host: dreamhost.com)
www.sfpulpit.com (host: dreamhost.com)
gregatkinson.com (host: dreamhost.com)
www.insidetheperimeter.net (host: dreamhost.com)
www.cbringen.de (using Joomla) (host: oneandone.net)
www.lethbridgesoccer.com (running Joomla) (Currently broken; redirect still works) (host: dreamhost.com)
www.theestateofthings.com (using outdated WP version) (host: dreamhost.com)
www.swearimnotpaul.com (using outdated WP) (host: blacknight.ie)
www.usmlerockers.net (not using WP) (host: ning.com)
culturevulture.net (using Joomla) (host: serverbeach.com)
blog.fnac.es (using outdated WP) (host: ovh.net)
log.thedom.net (host: all-inkl.com)
www.wearethenest.com.au (host: netregistry.com.au)
bbh-labs.com (host: Amazon EC2)
copdlifeexpectancy.org (host: theplanet.com)
blogs.panasonic.com.au (host: ultraserve.com.au)
www.primeradio.lk (host: tailoredservers.com)
www.timecrystal.co.uk/blog (host: fasthosts.co.uk)
ccccnsw.org.au (host: netregistry.com.au)
amigosdaterra.net (running Joomla) (host: dinahosting.com)
www.www-sante.com (not using WP) (host: sivit.fr)
www.revolution.co.za (redirects to www.revolution-daily.com if not coming from Google pharma search) (using old WordPress version) (host: godaddy.com)
liga.es (host: ovh.net)
www.thesheaf.com (host: bluehost.com)
www.panamaturismo.com (host: nationalnet.com)
www.nativeco.com (host: mediatemple.net)
juanelear.com (host: serveraxis.com)
www.procrastinando.com.br (host: locaweb.com.br)
www.homofotograficus.com (host: theplanet.com)
www.mikelovesbeer.com (host: appliedi.net)
ozmonmedia.com (host: singlehop.com)
soloenmexico.com.mx (host: theplanet.com)
www.unreliablewitness.com (host: 34sp.com)

Unless otherwise noted, the sites are running current WordPress installs.

As of yesterday, each of these sites would redirect via www.googl-analize.in to pharma spam sites. However, interestingly, starting today I began noticing that the same sites were no longer redirecting through this site, but were instead redirecting through http://sliceblogz.com.

*** WARNING *** WARNING *** WARNING ***
The sites googl-analize.in and sliceblogz.com are live as of the time of this writing. It appears that visits to this site result in blank pages unless the http-headers are set exactly right. However, these are sites that are being used in current hack atacks against many Web sites. I do not recommend visiting them.

---

I also discovered something else interesting. When I did Google searches for the exact phrases used in the WordPressand Joomla pharma spam hack attacks, many of the results I got were blog comment spam on various blogs. The blog comment spam is pretty straightforward; it was just your average, run-of-the-mill “buy cheap drugs here” rubbish with a link to a Web site.

The blog comment spam linked to http://dwnloadz.in/idi.php?sid=25. I suspected that the blog comment spam was being done by the same hacker who was attacking WordPress and Joomla sites, based on the fact that the blog comment spam and the cloaked Google spam were using exactly the same phrases, including in some cases the same typographical errors and misspelled words.

Those suspicions were confirmed when I did a Whois lookup on both sites.

It seems pretty clear to me that the same person is responsible both for blog comment spam and also for these attacks on WordPress and Joomla. It also seems to me that this person is quite busy tending his network of hacked sites; the behavior of the sites (now redirecting via sliceblogz rather than googl-analize.in, for instance, shows that he is able to make changes to the sites he hacks after the attack code has been installed).

The sliceblogz site is protected by private whois registration. It seems unlikely, though, that “Anatoly Vasserman” is the attacker’s real name.

---

Yet another surprise came when I examined the code that the hacked sites fetch from googl-analize.in (and presumably now from sliceblogz.com. It’s difficult to get; the code in hacked sites that fetches the content does so using specially crafted HTTP headers, and the site returns a blank page if it doesn’t see those headers.

Fortunately, a friend of mine recently showed me how to use wget to create arbitrary headers. When Google indexes a hacked site, the modified code serves a special page to Google’s spider; here’s what it serves up.

This content was fetched using “sfpulpit.com” as the name of the hacked site.

<h1>Order Carbamazepine overnight delivery</h1>
<br />where to purchase Tegretol 100mg low price United Kingdom without doctor prescription
<br />generic Tegretol fedex cod
<br />low price Tegretol in internet amex priority mail
<br />Tegretole pharmacies overseas
<br />Buy Carbamazepine without a rx overnight shipping
<br />buy Tegretol online by fedex
[snip]
.
.
.
[snip]
<br /><a href=”http://www.corneliamarie.com/?fbconnect_action=myhome&userid=4105″>Valsartan without rx medications</a>
<br />Carbamazepine 200 mg buy online
<br />Low cost Carbamazepine and overseas
<br /><br /><br />Buy Carbamazepine offshore no rx fedex
<br /><br /><br />How to get Carbamazepine rx
<br />Cheapest prices for Carbamazepine cheapest online
<br />Order Carbamazepine overnight delivery
<br />Where to order Carbamazepine 400 mg discount United Kingdom online
<br /><b>Carbamazepine 400 mg buy England online mastercard</b>
<br /><i>Carbamazepine order online mastercard</i>
<br /><b>Order Carbamazepine overnight delivery</b>
<br />Where to order discount Carbamazepine 400 mg online
<br /><i>Order Carbamazepine overnight delivery</i>
<br />generic Tegretol buy cod brand
<br />No perscription Carbamazepine fedex delivery
<br />Carbamazepine Mississippi
<br />Order Carbamazepine 100 mg Canada visa
<br />Where to purchase Carbamazepine no doctor script online
<br />Buy Carbamazepine 400mg New Zealand without rx
<br/><h2>Cheap Carbamazepinee in uk at leicester</h2>
<br /><u>Low price Carbamazepine 200mg buy</u>
<br />Closest us generic equivalent to Carbamazepine in massachusetts lenox dale
<br />purchase generic Tegretol prescription online
<br /><a href=”http://www.sfpulpit.com/2008/04/25/naturalisms-missionary-zeal/comment-page-1/”>Tamsulosin no perscription overnight</a>
<br />Buy Carbamazepine overnight cheap
<br />No prescription Carbamazepinee online
<br />Order Carbamazepine overnight delivery
<br />get Tegretol online amex no rx
<br />Order Carbamazepine 100mg cheap price online Canada
<br />Generic Carbamazepine onlin
<br />To buy Carbamazepine hiv pills fedex
<br />Where to purchase Carbamazepine 100mg cheap price no prescription Australia
<br />Order Carbamazepine overnight delivery
<br />Discount Carbamazepine buying online
<br /><a href=”http://gregatkinson.com/category/job-openings/page/2/”>Generic Rebetol no prescription usa fedex shipping</a>
<br /><ul><li>Where to purchase Carbamazepine 400 mg United States no doctor script</li></ul>
<br/><h2>low prices generic Tegretol in fort worth</h2>
<br />Online pharmacy cheap Carbamazepine online store
<br />Online Carbamazepine us
<br />Where to order cheap Carbamazepine no prescription
<br /><u>Carbamazepinee combo at amlwch</u>
<br />Carbamazepine canadian pharmacy
<br /><br /><br />Cheap sale Carbamazepine online no prescriptions overnight
<br />Order Carbamazepine overnight delivery
<br />Order Carbamazepine overnight delivery
<br /><br /><br />How to purchase Carbamazepine 100mg without rx online
<br />Buy Carbamazepine 100 mg
<br />Discount Carbamazepine order United Kingdom
<br /><i>Tegretol ordered online without prescription</i>
<br />buy online order Tegretol
<br />Low cost Carbamazepine 200 mg buy online England
<br />Carbamazepine online visa no prescription
<br />Discount Carbamazepine no prescription
<br />Order Carbamazepine 200 mg online mastercard
<br />Order Carbamazepine overnight delivery
<br />Purchase Carbamazepine 200mg USA online
<br /><b>Carbamazepine Rhondda</b>
<br />Carbamazepine antiviral in internet drugs overnight
<br />Order Carbamazepine overnight delivery
<br />purchase cheap discount online Tegretol
<br />Carbamazepine prescription dosage at ma
<br />Buy cheap Carbamazepine 400mg
<br/><h3>Discount Carbamazepine 400 mg buy without rx GB</h3>
<br />Order Carbamazepine 400 mg no prescription New Zealand
<br />Cheap price Carbamazepine 200 mg purchase online without rx
<br /><i>where to buy Tegretol in internet priority mail</i>
<br /><ul><li><a href=”http://www.sfpulpit.com/2008/09/29/let-us-preach-christ/comment-page-1/”>Order Aripiprazole uk</a></li></ul>
<br />Carbamazepine medication
<br />Order Carbamazepine without prescription to ship overnight
<br /><b>Purchase no online rx Carbamazepine</b>
<br /><a href=”http://www.sfpulpit.com/2008/08/11/killing-the-sin-in-your-life-part-1/”>Purchase drug generic Nitroglycerin</a>
<br />thiabendazole generic Tegretol
<br /><b>Buy cheap Carbamazepine c.o.d.</b>
<br />Get Carbamazepine over the counter fedex
<br /><br /><br />Consumer report on generic Carbamazepine
<br /><a href=”http://www.sfpulpit.com/2007/06/02/what-is-biblical-foreknowledge-part-1/”>Buy real Meclizine Hydrochloride without presciption</a>
<br />Cheap Carbamazepinee eskalith-cr in internet pills no prescription
<br />Order Carbamazepine overnight delivery
<br />

This stuff goes on for a while; I’ve snipped most of it out. Pretty straightforward pharma spam. But look at the bits highlighted in yellow. This page was fetched from googl-analize.in masquerading as the compromised site sfpulpit.com, and scattered throughout the HTML that googl-analize.com handed back are links to other hacked WordPress sites. This is a black-hat SEO technique to boost the Google page rank of all the sites in the network, and it suggests that the Web site googl-analize.in is keeping a list of hacked sites.

---

The Google site: command is a good way to see whether or not your site has been affected by this attack. I still don’t know the attack vecotr, but at this point I’m about 90% sure that the hackers are gaining access to a Web site on a shared server, via an FTP brute-force attack or whatever, and then exploiting flaws in that shared server to attack other Web sites hosted on the same server.

Unfortunately, there’s little that a Web hosting customer can do to make sure that their hosting provider is following security best practices. You can harden our software by tightening up file permissions, but that is little defense if your shared server is compromised.