Infected websites are hard to detect, only show up for users coming off search engines and for search bots. A new black hat SEO campaign is leveraging a combination of hacked websites, backdoors, doorway scripts, and SEO poisoning to redirect a website’s users to pornographic websites. This whole scenario relies on an attacker’s ability to hack into websites around the Web. Sucuri researchers have spotted this particular campaign triggered from sites using custom CMSs, WordPress, forum packages, and static HTML site, so the hackers are clearly using a broad arsenal of tools to hack into various websites.
Hacker use backdoors and doorway scriptsOnce onto one of these sites, the hackers install two types of PHP-based backdoor scripts that have the ability to execute PHP code on the underlying server, transmitted via custom HTTP headers.
After the backdoor is in place, the attackers would then alter the sites’ .htaccess files in order to redirect traffic coming from search engine bots and search engine referrals through a doorway script.
The attackers then place the doorway script on the server. Once this is accomplished, all traffic coming from search engine crawlers will be redirected through this script, which will poison the normal page’s content with adult keywords and spammy links aimed at boosting the SEO reputation of other websites.
Infected websites are hard to spot
For normal users coming to the site via search engines, the doorway script calls on a special function which redirects him to pornography websites. This redirection is retrieved in real time from a list managed on the attacker’s C&C server so the hacker can track how many victims he has made so that it can charge his clients.
Since the doorway script is executed only under certain conditions, it is hard for webmasters to spot the infection if accessing their websites normally. Additionally, accessing the doorway script directly shows a 404 error.
These doorway scripts use page poisoning templates stored in the server’s temp folder, which the script is configured to automatically update at regular intervals.
All these doorway scripts, templates, and backdoors have random names, making them hard to spot among different websites. Webmasters can detect if their website has been infected by using tools such as Fetch as Google or Unmask Parasites, that shows how a search engine bot sees the page. If you have an infected website, Sucuri provides cleanup instructions.