Hidden spam links injected into web pages

Discussion in 'Computer Security' started by Terry_P, Dec 1, 2006.

  1. Terry_P

    Terry_P Guest

    I have become aware that a hidden list of spam links were inserted at
    the end of several of my web pages a few days ago. My web host claims that
    my FTP password must have been cracked but I am sceptical of this
    explanation. The links pointed to what has now been confirmed as a
    compromised computer at uchicago.edu and were then redirected to nudai.com
    which has further links to peakpc.com . The links related to phentermine
    and other drugs.

    A Google search for "how long does phentermine stay in the body" reveals
    that a large number of blog sites have phentermine comment spam. However
    what I am reporting is HTML pages altered presumably by a script to include
    spam links. Is this a new as yet unreported strategy by spammers?

    Please check your web pages for spam link injection. The links are hidden
    so you must check the source for alterations.
    Terry_P, Dec 1, 2006
    #1
    1. Advertising

  2. Terry_P

    Todd H. Guest

    Terry_P <> writes:

    > I have become aware that a hidden list of spam links were inserted at
    > the end of several of my web pages a few days ago. My web host claims that
    > my FTP password must have been cracked but I am sceptical of this
    > explanation. The links pointed to what has now been confirmed as a
    > compromised computer at uchicago.edu and were then redirected to nudai.com
    > which has further links to peakpc.com . The links related to phentermine
    > and other drugs.
    >
    > A Google search for "how long does phentermine stay in the body" reveals
    > that a large number of blog sites have phentermine comment spam. However
    > what I am reporting is HTML pages altered presumably by a script to include
    > spam links. Is this a new as yet unreported strategy by spammers?
    >
    > Please check your web pages for spam link injection. The links are hidden
    > so you must check the source for alterations.


    Web page defacements aren't all that new, but perhaps this is a novel
    use for them.

    What active scripting are you using on your site (e.g. php?, what
    scripts?) ? That's a more likely injection vector than a cracked ftp
    password?

    --
    Todd H.
    http://www.toddh.net/
    Todd H., Dec 1, 2006
    #2
    1. Advertising

  3. Terry_P

    Terry_P Guest

    On Fri, 1 Dec 2006 12:10:05 +0000, Terry_P wrote:


    > The links pointed to what has now been confirmed as a
    > compromised computer at uchicago.edu and were then redirected to nudai.com
    > which has further links to peakpc.com . The links related to phentermine
    > and other drugs.


    Sorry, there was a typo. The spamming sites are nudai.com and peakc.com
    (*not* peakpc.com).
    Terry_P, Dec 1, 2006
    #3
  4. Terry_P

    MC Guest

    Todd H. wrote:
    >
    > Web page defacements aren't all that new, but perhaps this is a novel
    > use for them.
    >
    > What active scripting are you using on your site (e.g. php?, what
    > scripts?) ? That's a more likely injection vector than a cracked ftp
    > password?
    >


    Actually, since regular FTP passwords are all sent in cleartext, it
    doesn't have to be cracked, it can be sniffed out. FTP is quite a likely
    injjection vector because of that.
    A decent webhosting company keeps logs of FTP connections though, so
    they should be able to track at the very least connections made to the
    web space from IPs different than normal, and that way track the
    defacers/crackers and report them to the authorities (it's a crime in
    many countries punishable by law). If they don't log, demand they start
    logging, or find another hosting company :p

    Something you could do instead would be to ask for SFTP access instead
    of FTP to update your pages. This way neither the login nor the data
    uploaded can be sniffed out.

    HTH

    MC
    MC, Dec 3, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Angela
    Replies:
    3
    Views:
    5,725
    SteveG
    May 13, 2005
  2. fruitbat

    unable to get into any security web pages

    fruitbat, Jan 4, 2005, in forum: Computer Information
    Replies:
    7
    Views:
    445
    mcp6453
    Jan 7, 2005
  3. geothermal

    Spam Decreasing Web Pages ?

    geothermal, Jul 7, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    342
    Evan Platt
    Jul 7, 2006
  4. =?Utf-8?B?QmV0dGVqYW5l?=

    FrontPage 2003 password for hidden pages for users

    =?Utf-8?B?QmV0dGVqYW5l?=, Mar 10, 2007, in forum: Microsoft Certification
    Replies:
    0
    Views:
    397
    =?Utf-8?B?QmV0dGVqYW5l?=
    Mar 10, 2007
  5. Boppy
    Replies:
    10
    Views:
    1,107
    Sweetpea
    Jan 23, 2010
Loading...

Share This Page