Doorways Sneak To Non-Default Ports of Hacked Servers 63
UnmaskParasites writes "To drive traffic to their online stores, software pirates hack reputable legitimate websites injecting hidden spammy links and creating doorway pages. Google's search results are seriously poisoned by such doorways. Negligence of webmasters of compromised sites makes this scheme viable — doorways remain unnoticed for years. Not so long ago, hackers began to re-configure Apache on compromised servers to make them serve doorway pages off of non-default ports, still taking advantage of using established domain names."
Re:What the fuck is a doorway? (Score:2, Informative)
Maybe it has something to do with the submitter's name being "UnmaskParasites" and the URL of the article being http://blog.unmaskparasites.com/2010/12/03/doorways-on-non-default-ports-new-trend-in-black-hat-seo/.
If the author of the article did indeed just submit it here in some petty attempt to get traffic, he or she probably wouldn't have known what was unclear with the article.
Had some neutral party submitted this, this submitter may have had to also look up these non-standard terms, and may have had the sense to include the definitions in the summary.
Here's an example break-in. (Score:5, Informative)
Here's a typical break-in, at University of Oakland. [oakland.edu]. This has a good search position in Google for "64 bit Windows". This leads to a software-for-sale page with phony seals of approval from Microsoft, Verisign, etc. That's hosted at Starnet, in Moldovia. The payment site for the sales site is "payment8ltd.net", also hosted on Starnet in Moldovia. They're selling pirated copies of brand-name software at roughly half retail price.
That site has a TrustWave seal, which pops up a popup for Paym8, a real payment processor in Zaire. TrustWave's seal server doesn't check the referrer when displaying a seal popup, so it can be spoofed. [trustwave.com] Nor does the TrustWave seal even give the domains to which it applies. Verisign and BBBonline check this, but not TrustWave.
It looks like the actual payment processing occurs at "https://payment8ltd.net/shop/order/process/"; that's where the order goes on "Submit". The site has one of those worthless GoDaddy "Domain control only validated" SSL certs.
Starnet presents itself as an Internet and telecom service provider, offering the usual data, voice, colocation, and hosting. Headquarters of Starnet seems to be at Vlaicu Parcalab, 63, Chisinau, Republic of Moldova. That's a property of Flexi Offices [flexioffices.com], one of those small-office rental places. Interestingly, Microsoft also has an office in that building.
There's actual Whois information for that site:
Registrant Contact: Viktor Menshikov
Viktor Menshikov (loyal@yourisp.ru)
ul.V.Urdasha d.36 kv.1
Rakovo, Respublika Tatarstan, RU 422455
P: +7.8435122221 F: +7.8435122221
That location exists; it's a farm town about 500Km east of Moscow. Probably not a real address.
Searching for "yourisp.ru" brings up a large number of scam reports. The domain itself is registered but not in DNS.
Most of this recent batch of attacks seem to have similar underlying information.
Re:How do I check this on a hosted server? (Score:4, Informative)
FTP down the entire contents of your site, and see if anything seems wrong. Directories you don't remember with frame pages, stuff like that.
If you have a CMS like Joomla or Drupal, download a clean copy of the same version, extract it somewhere, and run something like WinMerge on the entire two directories. See what's different...should only be stuff you've installed, like themes and components, unless you've done some manual hacking.
Likewise, if it's just 'your site', if you're the only editor, and you upload it using FTP...download it to a different directory, and run WinMerge to compare. They obviously should be identical.
Downloading via FTP will also run a virus scan on it if you have real-time scanning, although feel free to also do that manually.
Incidentally, that won't do anything for this problem. If they've hacked your hoster to put extra web sites up on your domain on other ports, it's unlikely you'll be able to notice this, and they certainly won't be in your directories. But doing that requires root access, and this article is idiotic...if attackers have root on your server, the fact they can add extra http servers is the least of your problems.
Checking all the files helps for the more common attack of them putting up a directory on your site, and sticking malicious stuff in there, or including javascript files that pull in malicious stuff from elsewhere.
Also, checking every link won't help.You don't have to have a link to that stuff for it to get into Google.