Note: This post is a followup to the one here describing a coordinated attack on sites running WordPress.

My friend’s WordPress sites are still partly out of commission, following the sophisticated attack by pharma spammers that I talked about a few days back. Google has listed them again, though Google’s cache still shows some of the pharma spam. I’ve been continuing to investigate the attacks, and I’ve learned some new and interesting things about these attacks…including the fact that they are moving beyond WordPress and beginning to target another popular open-source platform, Joomla.

The first thing I did was start compiling a list of sites which have been compromised by this particular hack attack. To do this, I used Google’s site: command to get a listing of what my friend’s site looked like from Google’s point of view. The site: command can be used to get a list of how Google has indexed a site; for example, if you type

site:xeromag.com

into Google, you’ll see how it has indexed all the pages of my site. Next, I took unusual words and phrases from the pharma results in Google, and searched for those exact phrases. This gave me a list of tens of thousands of sites.

I then went down that list looking at each site. If I didn’t see any trace of the pharma spam keywords in the site, I did a second Google search, this time using that site and those same pharma spam keywords. I clicked on the Google link for those results and watched what happened. If I got redirected to a pharmacy page via a redirector at googl-analize.in, I knew it was the same attack, and I added that site to my list.

For example, here is what happens if you type

site:gregatkinson.com

(one of the hacked sites I found) into a Google search.

If you click on any of those links, you will not see any pharma spam. However, if you do the search AGAIN, this time using

theophylline site:gregatkinson.com

as your search term and you click on any of the links, you’ll be redirected to a pharmacy spam page.

Once I had built a list of affected sites, I then looked to see who their Web host was, and what content management software they were running. Nearly all of the sites were running WordPress, most of them fully updated and patched.

Nearly all. Not quite all, however. Some of the sites I found, I discovered, were running Joomla. This surprised me, and I think it helps rule out a zero-day exploit in WordPress as the attack vector. unless we are to believe that this one group of hackers has found and is exploiting identical zero-day flaws in both WordPress and Joomla and are attacking them the same way, which is possible but unlikely, I think the logical conclusion is that the attack vector is somewhere else.

Here’s the list of hacked sites that have all been attacked by he same person or persons who attacked my friend’s site that I’ve compiled so far:

www.corneliamarie.com (host: cloudflare.com)
truflun.net (host: bluehost.com)
www.leeloo.com.au (infected shopping cart too; using old WP) (host: netregistry.com.au)
www.amigosdaterra.net (host: dinahosting.com)
www.frankadam.be (host: dreamhost.com)
www.veryediblegardens.com (not using WP?) (host: dreamhost.com)
www.kevjumba.com (host: dreamhost.com)
www.sfpulpit.com (host: dreamhost.com)
gregatkinson.com (host: dreamhost.com)
www.insidetheperimeter.net (host: dreamhost.com)
www.cbringen.de (using Joomla) (host: oneandone.net)
www.lethbridgesoccer.com (running Joomla) (Currently broken; redirect still works) (host: dreamhost.com)
www.theestateofthings.com (using outdated WP version) (host: dreamhost.com)
www.swearimnotpaul.com (using outdated WP) (host: blacknight.ie)
www.usmlerockers.net (not using WP) (host: ning.com)
culturevulture.net (using Joomla) (host: serverbeach.com)
blog.fnac.es (using outdated WP) (host: ovh.net)
log.thedom.net (host: all-inkl.com)
www.wearethenest.com.au (host: netregistry.com.au)
bbh-labs.com (host: Amazon EC2)
copdlifeexpectancy.org (host: theplanet.com)
blogs.panasonic.com.au (host: ultraserve.com.au)
www.primeradio.lk (host: tailoredservers.com)
www.timecrystal.co.uk/blog (host: fasthosts.co.uk)
ccccnsw.org.au (host: netregistry.com.au)
amigosdaterra.net (running Joomla) (host: dinahosting.com)
www.www-sante.com (not using WP) (host: sivit.fr)
www.revolution.co.za (redirects to www.revolution-daily.com if not coming from Google pharma search) (using old WordPress version) (host: godaddy.com)
liga.es (host: ovh.net)
www.thesheaf.com (host: bluehost.com)
www.panamaturismo.com (host: nationalnet.com)
www.nativeco.com (host: mediatemple.net)
juanelear.com (host: serveraxis.com)
www.procrastinando.com.br (host: locaweb.com.br)
www.homofotograficus.com (host: theplanet.com)
www.mikelovesbeer.com (host: appliedi.net)
ozmonmedia.com (host: singlehop.com)
soloenmexico.com.mx (host: theplanet.com)
www.unreliablewitness.com (host: 34sp.com)

Unless otherwise noted, the sites are running current WordPress installs.

As of yesterday, each of these sites would redirect via www.googl-analize.in to pharma spam sites. However, interestingly, starting today I began noticing that the same sites were no longer redirecting through this site, but were instead redirecting through http://sliceblogz.com.

*** WARNING *** WARNING *** WARNING ***
The sites googl-analize.in and sliceblogz.com are live as of the time of this writing. It appears that visits to this site result in blank pages unless the http-headers are set exactly right. However, these are sites that are being used in current hack atacks against many Web sites. I do not recommend visiting them.

I also discovered something else interesting. When I did Google searches for the exact phrases used in the WordPressand Joomla pharma spam hack attacks, many of the results I got were blog comment spam on various blogs. The blog comment spam is pretty straightforward; it was just your average, run-of-the-mill “buy cheap drugs here” rubbish with a link to a Web site.

The blog comment spam linked to http://dwnloadz.in/idi.php?sid=25. I suspected that the blog comment spam was being done by the same hacker who was attacking WordPress and Joomla sites, based on the fact that the blog comment spam and the cloaked Google spam were using exactly the same phrases, including in some cases the same typographical errors and misspelled words.

Those suspicions were confirmed when I did a Whois lookup on both sites.

It seems pretty clear to me that the same person is responsible both for blog comment spam and also for these attacks on WordPress and Joomla. It also seems to me that this person is quite busy tending his network of hacked sites; the behavior of the sites (now redirecting via sliceblogz rather than googl-analize.in, for instance, shows that he is able to make changes to the sites he hacks after the attack code has been installed).

The sliceblogz site is protected by private whois registration. It seems unlikely, though, that “Anatoly Vasserman” is the attacker’s real name.

Yet another surprise came when I examined the code that the hacked sites fetch from googl-analize.in (and presumably now from sliceblogz.com. It’s difficult to get; the code in hacked sites that fetches the content does so using specially crafted HTTP headers, and the site returns a blank page if it doesn’t see those headers.

Fortunately, a friend of mine recently showed me how to use wget to create arbitrary headers. When Google indexes a hacked site, the modified code serves a special page to Google’s spider; here’s what it serves up.

Cut for technical stuff