Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

    • Jan
    • 31

    Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

    Posted by chaoskaizer.myopenid.com 7 months ago.

    Filed under Security¸ WordPress & vulnerability.

    wordpress-blackhat-seo-spam.png image by chaoskaizerBeing Hacked by SEO spammer is seem like a yearly events at Mattheaton.com. Matt’s WordPress blog was first hijacked 2 months ago on 26 November 2007 (according to my record). You can digg my earlier post at → Matt Heaton BlueHost HostMonster CEO Official Blog Hacked.

    It’s a big embarrassment for bluehost & hostmonster hosting to have their CEO’s blog being spamride every year (since 2007) . Drilling Matt Heaton’s with bad ads wont solves the Blackhat Spam issues, I will left that particulars part to my readers to speculate.

    Mattheaton Goro Spam Chronology

    Date Event
    Jul 2007 Google PR 7
    Aug 2007 Stop being Index by archive.org
    Nov 28th 2007 Wordpress.net.in Goro Spam on wp_footer backlink to howardowens.com
    Dec 4th 2007 Unknown Goro Spam on wp_head backlink to tangonoticias.com
    Dec 11th 2007 Wordpress Upgrade to version 2.3.1
    Jan 16th, 2008 Google PR5
    Jan 26th, 2008 Unknown Blackhat SEO spam on wp_head backlink to brainwave-india.com
    Feb 3rd, 2008 Unknown Blackhat SEO spam on wp_head backlink to thinkingphp.org
    Feb 8th, 2008 Unknown uusing CSS cloacking method on wp_head backlink to zoorender.com
    Feb 13th, 2008 Unknown using CSS cloacking method on wp_head backlink to blog.jensfranke.com
    Feb 20th, 2008 Unknown using CSS cloacking method on wp_head backlink to entrepreneur27.org
    Feb 24th, 2008 Unknown using CSS cloacking method on wp_head backlink to latenightpc.com
    Feb 26th, 2008 Unknown using CSS cloacking method on wp_head backlink to communitynext.com

    Wordpress.net.in GORO Spam Pattern

    • All the infected sites will stop being index by archive.org few months before the spam started.
    • From Nov 2007 to Jan 2008 (Right after Google Mass P3 De-rank fever) - The Blackhat Goro Spammer is targeting PR6 & PR7 sites running on WordPress (2.3.1 below) and on some rare case (tangonoticias.com) Joomla CMS (1.0.x)
    • I categorize this blackhat method as Sybil Attack

      A Sybil attack is one in which an attacker subverts the reputation system by creating a large number of pseudonymous entities, and using them to gain a disproportionately large influence. A reputation system’s vulnerability to a Sybil attack depends on how cheaply Sybils can be generated, the degree to which the reputation system accepts input from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.

      - Derank and manipulate their victim host to boost their pharmaceutical products on Google Local Search Index (gaming Localrank for better SERP)

    • Goro signatures:
      1. html div with id “goro” 
        <div id="goro"> <a href=">...</a> </div>
      2. javascript function name “getme()” 
        <script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>
      3. Output spam on WordPress wp_footer & wp_head hook

    Blackhat SEO Spamdexing Google Local Search Index

    The below graph explain the Blackhat SEO Spamdexing methods for Manipulating Google Local SERP.

    View Spamdexing Google Local Search Image

    ScreenGrab

    Recent Update

    • Feb 1, 2008 - we send a letter to regarding this issue. Still waiting for his replies
    • Feb 3, 2008 - The Blackhat Goro Spammer change their target spamhost from http://www.brainwave-india.com (PR6) to http://www.thinkingphp.org (PR6) - Felix Geisendörfer. 
      <div id="goro"><a href="http://www.thinkingphp.org/?read=796 ... prescription</a></div><script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>

      thinkingphp.org blog is running on WordPress 2.3.2. We send him email regarding the Goro Spam hijack.

    • Feb 8th 2008, There is no signature of Goro spam (tag with id goro) on Matt’s blog the blackhat is now using Inline CSS Position Overflow to hide the spams links ↓ redirect to zoorender.com (PR6). 
      <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.zoorender.com/?discount=1776">buying .. </div>
    • Feb 13th 2008, Same methods as above (inline css cloacking) .
      • HTML Code shown to a Regular Browser → 32,246 characters
      • HTML Code shown to Google Bot → 34,646 characters

      redirect to blog.jensfranke.com (PR7).

      <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://blog.jensfranke.com/?read=606">buy generic fi
    • Feb 20th 2008, CSS Cloacking redirect to http://www.entrepreneur27.org/ (PR6). 
      <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.entrepreneur27.org/?more=1591">bad side effects of viagra</a>&nbsp;<a href="http://www.entrepreneur27.org/?more=1592"> ...
</div>
    • Feb 24th 2008, CSS Cloacking redirect to http://www.latenightpc.com (PR5). mattheaton-com-022408-source.txt
    • Feb 26th 2008, CSS Cloacking redirect to http://www.communitynext.com/ WordPress 2.3.3 (PR6). mattheaton-com-022608-source.txt

    Related Posts

    External Links

    About the Author

     

    Tags:
    • January 31, 2008 at 5:07 pm
    • March 4, 2008 at 5:42 pm
    • 0.3
    • url

    • One Response to Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

      Trackback URL: Use the TrackBack url ↑ to ping this article. If your blog does not support Trackbacks you might want to leave a comment instead.
        •  
        • permalink
          Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II staygolinks.com   6 months, 3 weeks ago 3 url

          [...] on that is the blog of Matt Heaton, the Bluehost and Hostmonster CEO. The Kakkoi website provides a good account of what has been happening there. At the time of writing this post, the blog is still hacked although you would not know by looking [...]

          • 1 pingback(s) þ www.staygolinks.com on WordPress 2.3.3

    RSS feed for comments in this post

    "write as if you were talking to a good friend (in front of your mother)."

    .haveyoursay

    Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.

MySQL query error