Hidden spam links injected into web pages

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have become aware that a hidden list of spam links were inserted at
the end of several of my web pages a few days ago. My web host claims that
my FTP password must have been cracked but I am sceptical of this
explanation. The links pointed to what has now been confirmed as a
compromised computer at uchicago.edu and were then redirected to nudai.com
which has further links to peakpc.com . The links related to phentermine
and other drugs.

A Google search for "how long does phentermine stay in the body" reveals
that a large number of blog sites have phentermine comment spam. However
what I am reporting is HTML pages altered presumably by a script to include
spam links. Is this a new as yet unreported strategy by spammers?

Please check your web pages for spam link injection. The links are hidden
so you must check the source for alterations.

Re: Hidden spam links injected into web pages

Quoted text here. Click to load it

Web page defacements aren't all that new, but perhaps this is a novel
use for them.

What active scripting are you using on your site (e.g. php?, what
scripts?) ?  That's a more likely injection vector than a cracked ftp

Todd H.
http://www.toddh.net /

Re: Hidden spam links injected into web pages

Todd H. wrote:
Quoted text here. Click to load it

Actually, since regular FTP passwords are all sent in cleartext, it
doesn't have to be cracked, it can be sniffed out. FTP is quite a likely
injjection vector because of that.
A decent webhosting company keeps logs of FTP connections though, so
they should be able to track at the very least connections made to the
web space from IPs different than normal, and that way track the
defacers/crackers and report them to the authorities (it's a crime in
many countries punishable by law). If they don't log, demand they start
logging, or find another hosting company :P

Something you could do instead would be to ask for SFTP access instead
of FTP to update your pages. This way neither the login nor the data
uploaded can be sniffed out.



Re: Hidden spam links injected into web pages

On Fri, 1 Dec 2006 12:10:05 +0000, Terry_P wrote:

Quoted text here. Click to load it

Sorry, there was a typo. The spamming sites are nudai.com and peakc.com
(*not* peakpc.com).

Site Timeline