Search Engine Marketeers are the new script kiddies

Update: on March 12, 2008, Vadim Smelyansky emailed me and claims he was simply an innocent bystander doing freelance sysadmin work for an SEM company called LinksDealing, and has no knowledge of the internal workings of the system or how it’s being used (or misused). It’s conceivable that someone who managed to obtain the usernames and passwords to a large number of sites was then able to use that information with LinksDealing’s system in order to generate linkspam farms on a large scale.

Vadim says:

I just copy&paste database schema as is after day of playing with all possible MySQL parameters. I am not a SEO/SEM professional also I am not a DBA guru, but know enough about MySQL to support production servers.

The company registered in Israel. So I suppose that there can same named company in other countries. It is SE marketing, there is a link exchange server www.linksdealing.com and other SEM/SEO applications, some of them used to manage links on customers sites. Those sites can be banned without any notice from search engines. Probably it happens when somebody overdoing SEO on some customer site or experimenting. But there is no hackers or black hats. This database used by few of this applications. I have no idea of it complex logic.

I have no reason not to believe him, so I’ve removed the parts of this post that suggest he is the person who hacked my blog.

On August 8th, my blog, hosted at justinsomnia.org, disappeared from Google, completely, utterly without any warning or known provocation (e.g. black hat SEO), sending the traffic to my blog plummeting.

I complained to all known and normal channels, which in my opinion are too few and far between. I checked Google’s Webmaster Central tools, which merely confirmed that my site no longer existed in their index. Frustrating.

Finally I emailed someone at Google that one of my co-workers knew. I felt bad doing this. There are millions of sites in Google. I shouldn’t have to email an individual directly for this kind of support. It just doesn’t scale. But alas. Yesterday morning I got a response. My contact at Google discovered that someone had actually hacked my site and was displaying search engine spam to search engine bots only!

Let me say that again. My blog was hacked! Ugh. So I have to admit I haven’t updated WordPress to the latest version, and I’m sure Gallery is not up to snuff either. What follows is a description of the hack and my eventually successful attempt to figure out who did this to me.

Here’s where I figure out what happened

Basically someone got access to my WordPress theme files. In footer.php the following line of code was added:

include('index2.php');

Then a file called index2.php was created that contained the following PHP code:

<?
$bots=array('ooglebot', 'yahoo', 'live', 'msn');
$y=0; for($i=0; $i<sizeof ($bots); $i++) if(strstr(strtolower($_SERVER["HTTP_USER_AGENT"]), strtolower($bots[$i]))) $y=1;
if($y){
  include('rq.txt');
}
?>

This means that if the user agent (e.g. web browser, search engine bot, feedreader, etc.) identified itself as the Google or Yahoo website indexer—instead of Firefox or Internet Explorer—the file rq.txt would be included on the page. That file contained a list of 20 search engine spam links, linking to several compromised sites (who I have notified), which in turn redirected you to the intended destination, in this case a supposed Canadian pharmaceutical e-commerce site canadianmedsworld.com:

<a href=http://www.bluehighways.com/albums/buy-levitra.html>buy levitra</a><br>
<a href=http://www.uxmatters.com/scripts/viagra-online.html>viagra online</a><br>
...

To confirm this, I switched Firefox’s user agent to Googlebot’s, Googlebot/2.1 (+http://www.google.com/bot.html), using the User Agent Switcher extension, and sure enough, the spam links appeared on EVERY PAGE of my site!!! Quelle horreur! I felt so violated.

Justinsomnia with spam links

Here’s where I figure out who did this

The timestamp on index2.php was Jul 3 13:35, which I believe was the initial date of the attack. The rq.txt file had been updated as recently as Aug 18 04:15. Then before my very eyes it was updated again yesterday, Aug 20 11:05, with even more spam links. I checked my http logs for both Aug 18 04:15 and Aug 20 11:05, but nothing looked out of the ordinary, just normal GET requests. Could my Dreamhost shell account have been compromised?—a fate even scarier than a WordPress bug.

So I started digging. Googling for the filenames created in the attack, I only found one other blog post describing the same symptoms in Spanish but without any really helpful information. My http logs don’t go back to July 3rd, but I have a JavaScript based request tracker which does. One minute after 13:35 on July 3 I found this very interesting request:

select * from request where request_id = 1857380\G
*************************** 1. row ***************************
        request_id: 1857380
       request_url: http://justinsomnia.org/
  request_referrer: http://fitis.google.com/rio/index.php?unit=adv_areas&sort_by=pr&sort_order=desc&page_n=1
      request_date: 2007-07-03 13:36:22
request_user_agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
        request_ip: 62.140.244.24

The most interesting detail is the request_user_agent value. But first some background. The reason for building a request tracker in javascript (rather than parsing server logs) is that search engine bots don’t parse JavaScript like a web browser does. So that serves as a reliable way to filter out automated requests from the human ones I’m interested in. This also means that the Googlebot user agent should NEVER appear in my stats. But sure enough, there it was, one minute after my blog’s theme had been hacked. Out of 1.9 million request records, only 70 ever identify as Googlebot (usually people who’ve changed their browser’s user agent for testing purposes). Then a day later, on July 4, my homepage was requested from the same IP (62.140.244.24), again with a user agent of “Googlebot”. What this means is that someone was manually checking my site in their web browser, masquerading at the Googlebot, to see if their hack had succeeded.

Now let’s take a look at the request_referrer value. That’s the URL of the webpage the person had in their browser when they clicked on a link pointing to http://justinsomnia.org/ (presumably out of a list of other hacked sites). First of all, http://fitis.google.com/ does not exist. That’s probably there to make the request look like it’s genuinely coming from Google. It’s very likely that they’d simply mapped that hostname to localhost in /etc/hosts. rio is presumably the name of an application for hacking sites and managing spam links. index.php is just the standard filename, and everything else is the query string. So I start Googling for a spamming application called “rio” or any occurrence of those query string variables in Google’s Code Search. Nada. Until I searched for the inauspicious adv_areas value in Google proper, and struck veritable gold.

There were only two results for that seemingly generic variable. The first of which was a mysql bug report containing what appears to be a partial database schema for an SEO hacking/spamming engine:

adv_pages_free | CREATE TABLE `adv_pages_free` (
  `adv_page_id` int(11) NOT NULL default '0',
  `randomized` int(11) unsigned default NULL,
  PRIMARY KEY  (`adv_page_id`),
  KEY `randomized` (`randomized`,`adv_page_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 

adv_pages | CREATE TABLE `adv_pages` (
  `adv_page_id` int(11) NOT NULL auto_increment,
  `hostid` int(11) NOT NULL default '0',
  `uri` varchar(255) NOT NULL default '',
  `industry_id` smallint(4) NOT NULL default '0',
  `theme` varchar(255) default NULL,
  `filename` varchar(36) default NULL,
  `committed` timestamp NOT NULL default '0000-00-00 00:00:00',
  `commit_id` int(11) NOT NULL default '0',
  `nlinks` int(11) NOT NULL default '0',
  `keyword` text,
  PRIMARY KEY  (`adv_page_id`),
  UNIQUE KEY `uniq_page_id` (`hostid`,`uri`),
  KEY `page_id1` (`hostid`,`adv_page_id`,`uri`,`industry_id`)
) ENGINE=MyISAM AUTO_INCREMENT=21777537 DEFAULT CHARSET=latin1

adv_areas | CREATE TABLE `adv_areas` (
  `adv_page_id` int(11) NOT NULL default '0',
  `area_id` tinyint(4) NOT NULL default '1',
  `sentence_id` int(11) NOT NULL default '0',
  `anchor_text` varchar(255) NOT NULL default '',
  `promoted_id` int(11) NOT NULL default '0',
  `promoted_type` tinyint(1) NOT NULL default '2',
  `crawlMask` tinyint(4) NOT NULL default '0',
  UNIQUE KEY `uniq_area_id` (`adv_page_id`,`area_id`),
  KEY `promoted_id` (`promoted_type`,`promoted_id`),
  KEY `promoted_type_2` (`promoted_type`),
  KEY `promoted_type` (`adv_page_id`,`promoted_type`,`area_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1

adv_hosts | CREATE TABLE `adv_hosts` (
  `hostid` int(11) NOT NULL auto_increment,
  `hostname` varchar(255) default NULL,
  `rev_hostname` varchar(255) default NULL,
  `port` smallint(6) NOT NULL default '80',
  `ip` varchar(50) default NULL,
  `classc` int(11) NOT NULL default '0',
  `oldip` varchar(50) default NULL,
  `link_industry_id` int(11) default '18',
  `g_known` tinyint(1) default '0',
  `y_known` tinyint(1) default '0',
  `m_known` tinyint(1) default '0',
  `g_banned` tinyint(1) default '0',
  `y_banned` tinyint(1) default '0',
  `m_banned` tinyint(1) default '0',
  `customized` tinyint(1) NOT NULL default '0',
  `modified` datetime default NULL,
  PRIMARY KEY  (`hostid`),
  UNIQUE KEY `hostname` (`hostname`,`port`),
  KEY `ip` (`ip`),
  KEY `iphostid` (`ip`,`hostid`),
  KEY `rev_host_name` (`rev_hostname`)
) ENGINE=MyISAM AUTO_INCREMENT=100404 DEFAULT CHARSET=latin1

You can interpret for yourself what you think the fields stand for, but it’s the 3 in the adv_hosts table that stand out the most to me: g_banned, y_banned, and m_banned. What else do G, Y, and M stand for these days other than Google, Yahoo, and Microsoft? Fields like “theme”, “filename” and “nlinks” (number of links?) also are suspicious. Note the AUTO_INCREMENT value for the adv_hosts page: 100,404! From that one could infer that as of July 16, 2007 (when the bug was reported), this guy had already hacked over 100k sites, containing 21,777,537 defaced spam pages. Stunning. Later in the bug report he adds “Unfortunately I can not provide database content.” Yeah, I bet you can’t.

That bug report contained one other incredible piece of information: the name of the reporter, whose LinkedIn profile and resume describe him as a Software Engineer at “SEM Professionals,” but who claims was not responsible for hacking my blog.

SEM, for the uninitiated, usually stands for “Search Engine Marketing” which for some (e.g. black hats) entails spamming or gaming search engines into increasing the rank of certain search results for their clients, through any means necessary it seems (for more information, see: Search engine marketing and Search engine optimization in Wikipedia.) Suddenly my circumstantial evidence was looking a lot less circumstantial.

Update: Information removed on March 12, 2008 per note at top of post.

Here’s where I figure out how it was done

Actually I’m not 100% sure. Dreamhost does not believe my password was leaked last June when they experienced an FTP-related leak of 3500 passwords, though the time of the first intrusion (July 3) coincides with other bloggers who discovered their sites hacked (e.g. mezzoblue). If not Dreamhost then the next likely culprit would be an unknown vulnerability in PHP or WordPress. However cross referencing the timestamps of the hacked file updates with my http access log turned up nothing.

Finally this morning Dreamhost sent me justinsomnia.org’s ftp access logs for the last 6 days which contained the smoking gun. Remember the timestamps of the updated rq.txt? Aug 18 04:15 and Aug 20 11:05. Check out the timestamps of the two most recent entries at the top of the log:

jwatt    ftpd23817    201.27.197.215   Mon Aug 20 11:05 - 11:05  (00:00)
jwatt    ftpd10510    83.170.6.133     Sat Aug 18 04:15 - 04:15  (00:00)
jwatt    ftpd31925    125.163.255.120  Wed Aug 15 17:47 - 17:47  (00:00)
jwatt    ftpd19135    125.163.255.120  Wed Aug 15 16:54 - 16:55  (00:00)

At which point I disabled FTP (which I never use), changed my passwords, and will shortly begin updating my software. But first I had to post this.

Update: You made it all the way through this post? Well then you deserve a commemorative t-shirt: In Soviet Russia, blog hacks you!

Feel free to if you found this useful.

119 Comments

Daaaaaamn … Don’t mess with Justin!

Reminds me also of the book Cuckoo’s Egg. Tracking down hackers makes for good reading.

Great investigative work Justin! Thanks for sharing it. I will bookmark this and use it as reference. You should write a WP hardening post.

So, impressed with your investigation… You are now ready to be a secret agent!

Stephanie, the last two days felt uncannily like the Bourne Ultimatum. Without the punching.

Tony, failed to mention that your CrowdVine redirector, which happened to get indexed by Google, displayed a page of my site in their cache with the spam links, which helped uncover why I got banned. And you’re the second person who’s mentioned that book.

BrianR, thanks, and btw, the crux of my hardener is here: Escalating the war on comment spam.

Ron

Speaking as an Israeli, our rise in notoriety seems to coincide with the influx of the million or so Russian immigrants some years back. Also, Israel’s single computer crime department of the police contains about 8-12 officers, some of whom are there only part time. and their budget is low.

umm.

He probably wrote the code but that doesn’t mean he personally spammed your blog. He probably sells the code.

Ron, just to be clear, I have nothing against Israelis or Russians, or Israeli-Russians. However, I do not like people breaking into my site as much as anyone would not want someone breaking into their home.

umm, does that make him any less culpable? I think not.

David

Just for a bit of clarity, it’s only the blackhat SEMs that do crap like this – the whitehat guys (the majority of them) keep things legal and ethical.

Now I know who I can get help from, to investigate on this unscrupulous hackers’ action. It is just so unethical.

Anyway, for some reason, I don’t see how you managed to find his name.

nice sleuthing, me thinks he’ll receive a fair amount of annoyance when this hits the frontpage. But I just hope it’s the right guy, you could ruin the guy’s life if he’s not the one responsible. I’d personally say follow the sleazy prescription site – the owner probably knows or is the spammer.

Soooo, the crux of it is that your blog got hacked and consequently knocked off Google’s index as a result of Dreamhost leaking passwords? Has anyone considered … y’know … kicking Dreamhosts’ arse?

David, I tried my best not to paint all SEO practitioners with the same brush, but thanks for emphasizing that point.

Mike, you are correct.

Oren, wow, thanks for that link, and the rough Hebrew translation—totally radical seeing Google Ads in Hebrew.

Keith, his name appears in this mysql bug report. The database tables described in that report, combined with his resume and LinkedIn profile listing his current employer as SEM Professional(s), all suggest that he is involved in some sort of unscrupulous activity—even if, unlikely as it would seem, he was not the person directly responsible for breaking into my account.

PsychoticApe, I tried very carefully to paint an accurate picture of the information I found, without intentionally trying to ruin his life. If I am wrong, I will retract this post and apologize.

DaveP, that may be the case, though Dreamhost doesn’t think so. Either way I can’t assign blame. It’s possible that my password got into his hands through some insecure channel.

gmarkey

I had a similar incident where a French student got into a Windows Server machine and uploaded about 100GB of Warez.

Only had to Google a single keyword to find all the evidence I needed. One thing lead to another and I ended up with his name, address, email, etc.

Rather satisfying :)

grimripper

Terrific sherlocking… good job exposing him!

That’ll be script kiddies playing at dodgy SEO, not an SEO (which contrary to popular belief, isn’t all about spamming) playing at being a script kiddie.

If someone feels the need to hack blogs as part of an SEO campaign, they are shit at SEO.

Hey all, sorry my site was temporarily unavailable just after this post was made popular on Digg, turns out Dreamhost had yet another meltdown.

guest

Good work Justin. Very impressive!

lmfao That’s money! People sometimes don’t think before they act. Glad you got the problem figured out and solved. :)

Eddie

Haha you legend. Awesome working tracking him down too.

Quite interesting, although I thought you were going to say you hacked him back or something ;)! I’d be interested to see his reponse because I suspect it’s easily possible he found the bug but then other black hats abused it.

Oh actually reading the SQL I’m not so sure, I guess that was his database scheme for tracking spammed sites. Oh well..

That’s quite a story. You’d have never found it had Google not dropped you from the index. Another plus point for the big G then. Having a contact at Google helped as well of course ;)

wow dude, you rulez :)
just a note: SEM is not spamming Search Engine ;)

Andrew

So what happens now? Is Google going to unban your domain? or is that up to the googlebot to decide?

Btw, was wordpress compromised? or did he gain access through FTP and overwrite the wordpress PHP files?

Andrew

Kudos. Awesome. Hope you are up on Google soon.

Good for you, well done for doing the research and making us all aware…

omg – you are the biggest legend EVER. Nice work on the hack tackling

Smaugyy

Ask the people who administer bugs.mysql.com if they have on record the IP that was used to access their site – he might not have used any proxies/relays for what he might have considered a non-nefarious activity.

kidem

Good work….bravo on the network intrusion detection!!!

kidem
~WhiteHat~

Oliver

The exact same thing happened to me about 18 months ago. Over £300 revenue a day reduced to nothing in the space of 48 hours. Ruined my business. Thanks for catching this bloke. EXACTLY the same circumstances – I think this is most likely the guy who did me too.

Yoda

Nice work but you have no evidence that this guy, who seems to be the author of a spamlist management tool hacked YOUR site in particular. It may be just someone using his tool …

Pavel

Yes it seems that guy is in Israel

But IP 62.140.244.24 belongs to network at Moscow, Russia

At any point I dont believe that SEM pro’s does such silly things as User-Agent cloaking.

Everybody in SEO knows – search engines also uses crawlers with no User-Agent identities, so you cant fool’em

I’m shocked to know that blogs hosted by big player WordPress is hacked and misused like this. How safe is Google’s Blogger.com?

Chris

Nicely done!

KiLVaiDeN

Even though I feel sorry for you being hacked ( or all the other persons who were hacked too ) it seems quite hard to blame the specific guy. After all, he’s done what his company asked him for, and he’s not the one to blame, but the company.

In some countries, there is no specifical rule for hacking websites, therefore he might as well be totally in his rights to hack your website if it contains a security hole.

If I were you, I would just simply improve the security of my websites, and instead of accusing someone you don’t know, see what to do about the company and if it’s possible to sue them ( you won’t be able to sue the guy.. ).

I would also would like to know how the heck he accessed your theme file, because you don’t explain it.. I assume your FTP got brute force attacked, and he discovered your password, so for all readers here, check this simple rule : MAKE VERY COMPLEX PASSWORDS ON YOUR ACCOUNTS or don’t complain if you get brute force attacked.

Cheers !
K

kato7000

Great to see someone fight back, Bravo

Wow! Not bad – all of you!

Abhijit

Excellent…! Its inspiring how you fought your own battle and defaced him. I hope digg returned all the fame you lost after the hack.

‘After all, he’s done what his company asked him for, and he’s not the one to blame, but the company.’ […] ‘In some countries, there is no specifical rule for hacking websites, therefore he might as well be totally in his rights to hack your website if it contains a security hole.’

ever heard of ethics, or morality? Apparently not.

Awesome work, (other) Justin. SEO spammers are scum, nearly as bad as their emailing cousins.

Joseph

Nicely done.

tr

KiLVaiDeN, the FTP didn’t get brute forced… Dreamhost had a leak, it is mention in this post.

Excellent tracking btw

L

So it was Dreamhost’s fault that your ftp password got leaked and you never figure to change the password when you heard there even was a leak?

Justin

Bravo! I’ve tried similar “hunting” expeditions before nad have come up with nothing. It’s encouraging to see that there is success every once in a while. Congrats!

bsoisoi

Great detective work.

GSupport

“There are millions of sites in Google. I shouldn’t have to email an individual directly for this kind of support.”

There are well more than a million sites, and how much do you pay for the privilege of being in G (or Y or M)’s index?

You get what you pay for, and since you pay 0 bucks, thats the support you get.

Blinder

its important to NEVER EVER have FTP open. EVER. Period. If you need file transfer, you should always be using SCP. No questions, no exceptions. FTP is basically an open door. Treat it as such. Also, in WordPress, make sure you delete the xmlrpc.php file. Again, an open door.

Have to admire your curiosity and the efforts/steps that you took to get to the root of the cause and who did it.

Cheers!

Whoa, Dugg 2135 times as of right now and climbing. Jesus people! :)

Anyway thanks for stopping by, please try to keep the comments positive, and apologies if you get a 503 error, Dreamhost is throttling things to keep Apache alive.

Amanda

Pwn! thats bad ass man! im glad you got him

That is absolutely scary – enough for me to change all of my passwords now!

Dekim

So you figured out what tool was involved in hacking your site, and you figured out who wrote the tool, but how can you infer that the guy who wrote the tool is the same guy that hacked your site?

Cymon

I must say, you are my new hero~

Bravo!!! You will go down in blog history for this. They could probably make a new Van Damme movie out of it too.

FEW

Nice job. I hope you are right about the ID, though I guess it probably won’t have any long term effects for him…

Dekim, it doesn’t really matter, does it? I caught him working on a tool ostensibly for managing spam links on hacked websites at exactly the time my site was hacked. Even if he wasn’t directly involved in hacking my site, it appears he has a database of 100,000 hacked sites.

Seems reasonable enough to point this out and ask him to explain himself.

great work… but did u received any reply from identified culprit.

Berserker, on the other hand his resume and LinkedIn profile say he’s working for “SEM Professionals” which would suggest that he is actively working on this for the purpose of making money, not analysis.

Bezerker

I’m going to have to agree with Dekim. I wouldn’t be so sure to pin it on this guy. Bug reporters often use an already cracked machine as evidence of said bug. Not saying he DIDN’T have anything to do with it, but if you start a mass flood of hate for this guy and he did not do it… it’d be bad.

Also, it is not illegal in any way to create tools like this. Just because he made it, and because it’s not googlable for you to grab, does not mean that he is responsible for cracking your site. Many.. if not most exploits are kept private for a good.. looong.. time.

Either way, awesome amount of effort, though the evidence is not pointing out who did it, but ho created it instead.

cindi

This rocks. Great job.

If I was a principleless SEM I’m not sure I’d report mySQL bugs. Intriguing.

nacho, good point. Then again, if you read it, it’s more of a complaint/support request than anything else.

Pablo

Very, very great job!

Impressive forensics, but the bottom line is that your password was leaked. Whether is was Dreamhost or “some insecure channel”, that’s the scariest part. It reminds me why my company forces me to change my password every 90 days. It’s a pain, but well worth it.

Nevada Lights

You fuckin rock!!!! I love you!!!!

impressive work, but I would like to point out that SEM is not about gaming the search engines, that is called Black Hat SEO. SEM is a comprehensive marketing campaign that includes creating quality content, conversion analysis, and a public relations campaign to attract links. While there is much Optimization analytics that goes into an SEM campaign, the good companies and individuals do not try to poison the water by tactics like these.

jk

This forensic work is commentable. Thank for the insight of the works

JCG

This pretty upsetting that you put up this guy’s photo and country of origin. I wonder — vigilantism or anti-semitism? Perhaps both?

hmm, this gives me an idea on how to hide your personal pages from google searches. Why not ban yourself from googlebot on purpose? That way, only people who know your URL will find your site.

Good idea, bad idea?

My heart skipped a bit when I saw the rio part but I must say I applaud your detective skills and wish you all the best in getting back on Google. Something tells me you won’t have any problems.

Anti`

indeed, great work ;)
i suppose he would think about to do this again ^^
if he ever read this :D

Xopher

This is wonderful! I came here from Making Light. I hope that guy’s name is all over the internet as a spammer.

As for “antisemitism,” give me a fckng break! Are Israelis exempt from any criticism of their behavior, no matter how obviously criminal? Ridiculous.

MRamirez

Mucho hijueputa ese malparido. El internet un dia de estos va a tocar apagarlo debido a esta clase de hijos de puta madre que la andan cagando por donde van. Te felicito por tu investigación. Lástima que sea tan dificil repetir historias como estas. Saludos.

josephmcelroy, yes, but if a company (or individual) calling itself “SEM Professionals” engages in this sort of behavior, it ends up muddying the waters for everyone else.

JCG, apparently Ukraine is his country of origin, though he appears to live in Israel now. Criticizing someone who resides in Israel and posting a screenshot of their website is hardly antisemitism.

TheRealDonQuixote, being in Google is not mandatory. It is however, opt-out. You can indeed choose to opt-out by refusing to display your site to the googlebot user-agent, but an easier approach, one that would work for all search engine bots, would be to create a robots.txt file in at the root of your domain with the following content:

User-agent: *
Disallow: /

I’ve had similar attacks on my Drupal-based blog, but none that succeeded. A user tried something similar, with HTML META Redirects to a webpage whose only line was a PHP include like you posted in your article.

You rock, Justin!

Good job!! :) … though I’m about to get paranoid and check if my site has been hacked :S

D.C

N1. But what will you do next ???

John Doe

Excellent Job so far! Now You should check the IP addresses the test queries and ftp uploads are coming from (by using http://www.ripe.net). Probably You can find the people who are involved as well (test queries to prove that the job is done, ftp uploads to find his assistants)

peter

google request: 62.140.244.24 NAT7.BIRULEVO.NET BIRULEVO.NET; from moscow; seems to be a Russian ISP; maybe a NAT/FW host
ftp:
201.27.197.215 201-27-197-215.dsl.telesp.net.br; ISP in Brazil
83.170.6.133 host-83-170-6-133.customer.teleport-iabg.de; ISP / satellite communications; iabg.de; near Munich, Germany
125.163.255.120 120.subnet125-163-255.speedy.telkom.net.id; an Indosian ISP

one connection from a possible NAT server, 3 later on from dialup (or possibly compromised PCs).

hmmm.

peter

Another note: isn’t there a real similarity between true-black search engine manipulation/spamming and botnets/mail spamming?

you need to spam quickly search engines quickly/massively and you need to maintain a large zombie army for this: when the search engine detects a web-site-zombie trying to spam it, it’ll need to revert the zombie, resubmit its url, check for unbanning and respam the zombie again.

pretty similar approach, pretty much the same perpetrators, just a smaller number of client hosts to fool (merely Yahoo, Google, MSN to cover 90% of the web users).

Justin, how about an article about this “nice little correlation” in methodology:). And in the likely usage of zombified dialup clients?

Nate

“SEM, for the uninitiated, usually stands for “Search Engine Marketing” which is code for those who try to spam or game search engines into increasing the rank of certain search results for their clients (through any means necessary it seems).”

You’re an idiot. While this element exists in the search world, it certainly doesn’t comprise the majority of SEM / SEO marketing professionals. You should try a little perspective before you make wild accusations about an entire industry. I understand that you’re upset that some jerk messed up the SERPS for your precious little blog, but that statement was ridiculous.

peter

WRT Dekim’s note that he might be innocent of hacking:

Certainly a possibility, but for now, I’d wouldn’t invest much energy in distinguishing between the questionable tool author and the hacking itself. If he’s legit, there will be a followup from Justin on him and the shop he’s working at; good promotion for them. Otherwise, we’ve got one or more black hat crackers, maybe even with a li’l botnet of their own. And whatever problems they get, they _are_ asking for more of it…

peter

Nate: Justin and I are talking about true-black SEM.

“Normal SEM” that just messes with the customer’s own sites and the SEM shops own link farms… is well, kind of grey search engine semantic detection optimization.

Here however, dial-up pcs and breakins were part of this very SEM shop’s concept. And obviously accepted by this SEM’s customers…
(which isn’t necessarily the very shop he was working at).

l.c.

Thank you for this really helpful information. And a really good job! Once a lifetime everyone meets his master and he met him (…) :-)

Joe

Good job – hope you get the bastard

peter, thanks for all the comments. I emailed BIRULEVO.NET (in English and Russian), and since then I have not been able to ping 62.140.244.24.

nate, I apologize you were offended by my generalization about SEM. I have to admit, I don’t hold SEO/SEM in the highest regard, but that said, I’ve updated the paragraph in question to clarify that I meant “black hat SEM” and I’ve added links to the Wikipedia articles on SEM and SEO.

Justin,

A very good detection. I am glad to see that you not only found the problem, but also found the time to enlighten others about such dangers.

Hiya thats some serious warning for a lotta ppl out there. Anyways good work done. Hope things go fine for you and you take more precautions in the future. Till then keep posting.

great info dude. keep posting. dats some serious stuff to watch out for us bloggers

I dont know much about hacking blogs.
But good shit. :)

Well done

Congrads, way to give it back to them. I cant help but respect your thoughtfulness and resolve.

jack

Hey man, impressive work !
Dont suppose you could post that little punks email addy so we can tell him what we think of him !? XD

Chase-san

Way to go dude! I congradulate you. Thats awesome, it reminds me sorta of what I have done. Cept yours is a great deal more impressive as it was well done!

My guy was very sloppy(he even gave me his ip :P), should of heard him when I called him up and politely ask him to stop pumping spam into my site.

N8\/\/4LK€|2

awesome bro! way to go u did one awesome job on this! gratz man

Andrew

Hehe :D Nice catch on him. It’s funny how you ended up finding out who it was and everything! ^^

Super great news. After being delisted by Google for 16 days, I’m back!

TSO

FITIS is Russian abbreviation for “Information Tecnologies and Systems Branch” in Russian universities.

Chas

Good catch, or not. lol.

Well done +
i read a news on two big germany newspaper about your great hunt. It seems you are here a internet hero. This is a really moral courage to write down thats hacker only a Goliat and we are the davids. Thanks a lot for this.

artex

impressive man…..
this information can help us for future hack in our site
thx again

Torgeir

Great post! enjoyed reading it. Glad you figured it out, good job

Awesome story and brilliant detective work, Justin! He couldn’t have picked a worse mark. ;-)

Wow. That was quite a story. I didn’t make too much fuss about someone (you) contacting me via YM and asking if someone worked for my company. Then a day or two after you talked to me on YM, I looked at my web logs and saw close to 400 visitors from your blog. That’s when I read your post about the incident.

Amazing story. I’m glad you were able to track this guy down. Nice sleuth work dear Watson! :-)

That was some real good detective work! I’m glad you got to the bottom of it and were able to get things fixed on your blog.

Shine on,
Aaron

Wow… this is very unsettling. I guess there is no such thing as security anymore.

neuville

hello, I’ve had the same prob in my blog, I just deleted two lines of code in my blog footer that claimed an index2.php that claimed a t.txt file.

what else can I do to avoid this?

thank you and great post

neuville, the most important thing to do is change your password asap and disable ftp access to your webhost (use sftp/ssh instead).

M

He could at least have used a regular expression, and not the for-loop thing…

[…] inkl. einem Outing des vermeintlichen Hackers, der ehemals für Microsoft gearbeitet hat: Search Engine Marketeers are the new script kiddies Artikelzusatzinfos 1. Tags: hacker, spam, werbeblogger, wordpress 2. Related […]

Awesome! Your investigation really impressed me! Excellent job!

[…] nach einem sehr dreisten Hacker, der sich tief in den Templates von fremden Blogs versteckt hat: Search Engine Marketeers are the new script kiddies. […]

At http://wwgs.stots.de/ I have put up a little utility to check if googlebot gets something else than regular users. The URL you want to check is fetched twice, once as regular browser, and one more time as googlebot as user agent. If there are differences, they are displayed.

Now all that is missing is a function to monitor sites periodically and checking for CSS-tricks like “position:absolute; margin-left:-3333px;” or the like. and we can declare V2.0 :)

raimonde

yeah, for sure
disable ftp and…
use ssh – is encrypted

Care to Comment?

Or if you'd prefer to get in touch privately, please send me an email.

Name

Email (optional)

Blog (optional)