UCalgary web sites compromised with spam

We were cleaning up a compromised site today (with the unfamous pharma hack), when we saw multiple spam links in the hacked site pointing to ucalgary.ca (big Canadian university). What was interesting is that it was not pointing to a small department sub-domain, but to their main site.

It means attackers were using domains at the University of Calgary to help increase their PR (page rank) and to sell pharmacy related products online.

These were some of the links in their main site that were being used (still live):

http://www.ucalgary.ca/uci/node/19228

http://www.ucalgary.ca/uci/node/491

http://www.ucalgary.ca/uci/node/426

.. hundreds more..

As we dug deeper, we saw more and more links with spam in their main site and on sub-domains:

http://ess.ucalgary.ca (engineering society)

http://www.arctic.ucalgary.ca/

http://fp.ucalgary.ca/

http://webapps2.ucalgary.ca

So what is going on? It seems that those sub-domains are in fact hacked and being used to distribute spam. Their main site, however, looks ok, but it has an open wiki (not moderated) that is allows anyone to post any content (including SPAM in there). So guess who is using that to their advantage? Exactly :)

If you do a quick search on Google for ‘viagra site:ucalgary.ca’, you will find more than 2 thousand pages infected.

Scanning those sites with our malware + spam monitor, we were able to identify more and more pages with spam.. If you know anyone at UC IT department, let them know about it so they can fix it.


Infected with malware? Spam? Blacklisted? We can clean it up for you: http://sucuri.net

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.