-Check your web pagesfor hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Hacked WordPress Blogs Poison Google Images
After a series of posts aboutthat used hot-linked images a main trick to get top positions in search results, Id like to describe a different Google Image poisoning attack that affects WordPress blogs and uses self-hosted images.
I found4,358self-hosted WordPress blogs that contained many (usually more than 100) doorway pages that redirected visitors coming from Google Image search to fake AV sites.
Those doorway pages can be easily identified:
They have the following URL pattern:, where[a-f]3is a combination of three letters a through f and thekeywordsis a hyphen-separated combination of keywords that contain either wordpictureorpictures. Here are some examples:
Doorway pages use a normal template of the hacked WordPress blogs, but their original content is replaced with twenty something thumbnails and short text snippets relevant tokeywordssearches.
The images are not hot-linked. Both thumbnails and links to full-sized images have URLs that look like this:
At the top of the images you can see an inscription the domain name of the hacked site. This way criminals set their seal to the images to make them look like an original content of that site, not stolen images. At the same time this artifact can help identify poisoned image search results and avoid clicking on them.
The image files contain the following string inside:CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100. This means that they were created using theGD Graphics library.
In my understanding, hackers use a PHP script to fetch top rated images (returned by Google Images search), resize them to tbumbnail-size (width: 200-300 pixels) and to full-size (some random size may even be larger that the original image) and finally add the domain name stamp.
At the very bottom of the HTML code of the doorway pages you can see comments like this:
!– 7/24/2011 4:30:03 PM –!– new england railroad pictures —
The timestamp and the targeted keywords (they match the keywords part of the URL). This way you can easily see when the doorway was generated.
The doorway pages rank quite well for some keywords both in Google Web search and Google Images search (especially when you are searching for exact phrases). However the malicious redirects occur only when you click on Google Images search results, which proves that Google Images poisoning is the main goal of this black-hat SEO campaign.
The redirects have two stages. The first redirect goes to an intermediary server (TDS) that, in turn, redirects to a landing pages that pushes a fake anti-virus tool (Ive seen two different variations of the fake AV pages).
As you can see, the TDS server receives information about the keywords, source, and the actual referring URL.
The intermediary domains change every day. They actually belong to other hacked sites (mostly WordPress blogs)
Here are just a few domain names of the intermediary TDS sites used in this attack:
The domain name of a landing page consists of a.indomain that changes every day and some randomupdateNN or scanNN subdomain, e.g.update82.yourscan .inor scan73.moomles .in
Here are a few.indomains of the fake AV sites used in this attack:
Most of the.insites point to the193 .105 .154 .31IP address (United Kingdom, Ars Tolerantia, with Latvian contact information).
The fake AV sites push scareware.exewith names likeInstallSecurityScanner_NNN.exe, e.g.InstallSecurityScanner_225.exe. These files are being repackaged every day and their detection rate (according to VirusTotal) is quite low. The typical detection rate for currently served files is8/43 (18.6%). It usually improves to35%-50%by the time when the malicious file is no longer in use and a new file with a low detection rate is being served by the fake AV server.
Out of4,358checkedcompromised sites, Google currently flags (or recently flagged) less than5%of them. Typical Safe Browsing diagnostic page says something like this:
Malicious software is hosted on 2 domain(s), includingbastandro .in/,senerino .in/.
3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, includinghireindians .net/,awalstudios .com/,bywhy .com/.
After I sent them my lists and additional information,
Google has removed those doorway pages on hacked sites from index
(both web search and image search).
Hackers have injected hidden links that point to the doorway pages on the same sites into legitimate web pages of the hacked WP blogs. The links are cloaked (visible to search engine crawlers only). I believe they are injected into WordPress theme files (most likely
I still havent receive a single response neither from webmasters of the hacked sites nor from their hosting providers. Hey, your information can help thousands of WordPress bloggers!
I found someadditional information about this attack. More about it later. Stay tuned! (Published)
Starting this week, I noticed multiple hiccups in this attack.
On Tuesday, TDS generated redirects that missed domain name part in URLs of the fake AV sites. E.g.
As you can see, everything else is in place, except for thedomain name. It looked as if the criminals ran out of the domain names (most of them were registered on July 20th) or forgot to specify a new domain for a new day.
Nonetheless, on Wednesday, the URL generation process was restored. However the landing pages wouldnt open (at least for me). At the same time, when I opened the root page of the fake AV site (e.g.hxxp://scan36.bastandro .in,hxxp://bastandro .inor even simplyhxxp://193 .105 .154 .31) the malicious download would start automatically.
On Friday, I see a different hiccup. The TDS redirects to a newly registered domain (August 4th)
that points to a different IP address (46 .4 .161 .228) and that server seems to be down. At the same time, the193 .105 .154 .31server still automatically starts malicious downloads if you visit it, but the download size is0bytes.
I wonder if all these hiccups have to do with the crisis of the fake AV industry that Brian Krebs describes in hisrecent post.
During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims
If this is true, we should expect the hacked sites will eventually try to monetize search traffic some different way.
Update (Aug 8, 2011):A new hiccup today. The landing page is onupdateNN.x-scan .insite. Whilex-scan .in(193 .105 .154 .31) is up and serves anupdated .exefile, its subdomains wont resolve. Whats going on?
At this point I couldnt find cooperative webmasters of the hacked WordPress blogs that would share internal details of the hack. Nonetheless, my black box testing approach allows me to make some conclusions.
The hacked sites belong to different people and are hosted by different hosting providers. Other sites (both WP and non-WP) on the same servers are not affected. They are all WordPress blogs. Many of them are up-to-date (run the latest version of WordPress). So its neither a server-wide hack, nor an intrusion via stolen site credentials (otherwise wed see many non-WP sites). At the same time, it is not a core WP hack. In my experience, this usually means that hackers used some backdoor script.
The backdoor script might have been uploaded using vulnerabilities in WordPress themes or plugins. For exapmple, many of the hacked sites (not all though) use themes that include atimthumb.phpfile that isto a server.
Actually, this is where webmasters of compromised sites can help me. Usually a log analysis + a server scan can provide a very reliable information about the attack vector: vulnerable files and backdoor scripts. Please,contact meif you have raw access logs for July.
Sometimes, I saw two different blogs on the same server (and most likely under the same user account) with the same doorway pages. Moreover, while blogs themselves looked different, the doorway pages used a template of only one of those sites and had links to that site only.
I think this happens because hackers created a.htaccessfiles with rewrite rules above the site root (quite a prevalent trick with .htaccess hacks). The rewrite rules map the doorway URLs to some .php script.
All doorway pages and images are cached somewhere on the server. Unlike other SEO poisoning attacks that I wrote about, they are not generated on the fly. If you specify some different keywords in the URL, you will get a 404 error. Moreover this 404 error will be different than normal 404 error pages of the hacked sites.
Another proof that the spammy content is cached and is not injected at the run-time into live WordPress pages is the timestamps at the bottom of the HTML code and old articles in the Recent Posts section. On some sites, instead of a real site template, they use a pre-built empty Kubrick template with the fingerprint that doesnt change from site to site (WordPress 2.3.1, 22 queries, 0.912 seconds)
Rounding up: If I were a webmaster of one of those hacked sites, I would start looking for rogue rules in .htaccess files in the site root and above the site root directory. The rewrite rules should point to a doorway script. Then the script should point to a cache directory with all the html and jpg files. Then I would try to analyze access logs and scan files on server tofind backdoor scriptsand security holes.
Creating doorway pages on legitimate websites is quite a prevalent reason behind website hacks. Make sure your site doesnt contain rogue web pages.
You should also check Google Webmaster Tools for suspicious search queries and indexed pages.
Make sure your WordPress is up-to-date. All themes and plugins come from trusted sources and dont contain known security holes (check their websites, google them). If your themes or/and plugins use thetimthumb.phpfile, considerupdating this file(Its developers arecurrently actively improving the security).
If you have any details about internals of this attack and especially the security hole, pleaseleave your commentbelow orcontact medirectly. It would also be interesting to hear your thoughts about thehiccupsof this attack (and whether they are really hiccups).
FWIW the 193 IP address is known to be bad its been part of the Russian Business Network since April this year (
The 46 address never seems to have resolved to anything except
(prozones.in was registered in 18 July 2011 according to whois I wonder if they ran out of time/money and couldnt set that domain up
That 46 address seems to be temporary. yourscan now points to the 193 address again. So does the x-scan .in (both registered on Aug 4th).
By the way, today they didnt change the domains. Instead the landing page address no longer have a subdomain (which didnt resolve yesterday).
This means that they also changes the TDS code (it would always add random subdomains)
 security researcher Denis Sinegubko has posted details of 4,358 WordPress blogs that are poisoning Google Images to insert doorway pages that 
 haben offenbar tausende WordPress-Blogs so manipuliert, dass deren Bilder, wenn Sie auf Google angezeigt werden, Links auf betrgerische Seiten 
There was a recent vulnerability with TimThumbs image resizing where it was not checking MIME. Could this be the result of exploiting TimThumb, which is used as a standalone plugin and also used in many themes.
How can I tell if you website has been compromised? Could you publish that list of 4300 websites so I could check?
I dont want to publish the list as it may affect reputation of the websites.
. However it wont work now that Google has removed those doorway pages from index.
Just read theto webmasterssection, and the rounding up sligthly above. If you do that, youll be able to detect other hacks too.
P.S. The site in your signature is not in my list.
 as secure as a platform as I have ever seen, however, its main weaknesses lie in plugins. Unmask Parasites briefly touches on how up-to-date WordPress blogs can be compromised: the TimThumb vulnerability, 
I believe I was victim of what you are discussing. In fact, I recently received a letter saying we are in copyright infringement for using photos. This is how I found out about the url on my site that I didnt create.
Is there a way to track who hacked my site and determine when it was done?
I cannot find the source of this page to even delete it off of my FTP or wordpress blog.
Any help would be greatly appreciated.
 Once a site is infected, its not always easy to remove all the malicious code. Denis Sinegubko, the Russian researcher who discovered the WordPress attack used to poison Google Image results, has advised webmasters of compromised sites to look for rogue rules in the .htaccess files in the site root and above the site root directory. He has more here. 
I was victim of what you are discussing
I just got a spam email sent to me that had no subject and the link was ***.ru/wp-content/themes/minico/work.php?public53.gif
Is that considered the same thing as what you are talking about here? First time I had seen a link like that.
Occasional posts from the developer of
Unmask Parasitesabout things that hackers already know and site owners should know (if they dont want to be victims).
Exploit reviews, security tips, and all that jazz.
Fancybox for WordPress Has Expired Infection
Darkleech Update November 2014
Most Contradictive Doorway Generator
Working With the Darkleech Bitly Data
WordPress Malware Causas Psuedo-Darkleech Infeccin Sucuri Español
onDarkleech Update November 2014
onFancybox for WordPress Has Expired Infection
WordPress Malware Causes Psuedo-Darkleech Infection Sucuri Blog
onDarkleech Update November 2014
©Sucuri Inc./ Design:Smashing WordPress Themes