• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

It is not over – SEO Spam on sites infected

May 13, 2010David Dede

FacebookTwitterSubscribe

Did your site got hacked on the last 3 or 4 weeks? If it did, you may still have some things to clean up.

We lately started to notice in a lot of sites that we have been fixing a “.files” directory full of spam links on them. We initially thought it was some isolated incident, but then it became more often and we decided to put our scanner to work to see how many we could find.

So far, we got a list with more than a thousand sites with that (to be exact, 1,125 sites so far). These are just sites we have scanned on the last few hours, so the number is probably way bigger. Also, in our list we have sites from all major hosting companies and all web applications. So nothing specific to one company/tool.

How to find out if you are still infected? Via FTP, just list the .files directory on your web root:

.files$ ls
1 in 5 divorces refers to facebook.html
2000 year old man.html
2009 kennedy center honorees.html
2009 pro bowl.html
..
2009 pro bowl roster.html
2009 pro bowl selections.html
2010 nfl pro bowl selections.html

You will see hundreds of files in there. Via a browser, just visit http://yoursite.com/.files/

If you see a directory listing full of links you don’t know about, it means that you are still infected.

For people using our scanner, it has been alerting about that since a little while, so you were (or will be notified) soon.

Now, you ask me. Why were these files added in there? They are being used as a SEO Spam tactic to increase the page rank of the attackers sites.

They are used in conjunction with this code: MW:SPAM:S2 where it reads the content of the file only if it is being requested by a search engine:

function get_page($key){
$f_n=".files/".$key.".html";
if (@file_exists($f_n)) return @file_get_contents($f_n);

Code to check if it comes from a search engine:

$ip=sprintf("%u",ip2long($_SERVER["REMOTE_ADDR"]));
if (($ip>=3639549952)&&($ip<=3639558143))$searchengine=1; //GOOGLE (216.239.32.0-216.239.63.255)
if (($ip>=1123631104)&&($ip<=1123639295))$searchengine=1; //GOOGLE (66.249.64.0-66.249.95.255)
if (($ip>=1089052672)&&($ip<=1089060863))$searchengine=1; //GOOGLE (64.233.160.0-64.233.191.255)
if (($ip>=1078218752)&&($ip<=1078220799))$searchengine=1; //GOOGLE (64.68.80.0-64.68.87.255)
if (($ip>=1078220802)&&($ip<=1078222031))$searchengine=1; //GOOGLE (64.68.88.2-64.68.92.207)
if (($ip>=1087381508)&&($ip<=1087382952))$searchengine=1; //GOOGLE (64.208.32.4-64.208.37.168)
if (($ip>=3512041472)&&($ip<=3512045567))$searchengine=1; //GOOGLE (209.85.128.0-209.85.143.255)
if (($ip>=1113980928)&&($ip<=1113985023))$searchengine=1; //GOOGLE (66.102.0.0-66.102.15.255)
if (($ip>=1208926208)&&($ip<=1208942591))$searchengine=1; //GOOGLE (72.14.192.0-72.14.255.255)
if (($ip>=1249705984)&&($ip<=1249771519))$searchengine=1; //GOOGLE (74.125.0.0-74.125.255.255)
if (stristr($_SERVER["HTTP_USER_AGENT"],"msnbot")||stristr($_SERVER["HTTP_USER_AGENT"],"Yahoo"))$searchengine=1;
if (stristr($_SERVER["HTTP_USER_AGENT"],"via translate.google.com"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google WAP Proxy"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google CHTML Proxy"))$searchengine=0;

Now, If a normal user visits it, they are just redirected to cnn.com and won’t really notice something wrong with it.

Clean up:

If you have this .files directory, go ahead and remove it. Also, search your main directory for a PHP file (random name) with a big base64 string. Go ahead and remove it as well.

*If anyone want the lists of sites (for research purposes only, let me know).

**btw, that has nothing to do with GoDaddy. On my list we have sites from all major hosting companies.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, SEO Spam

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Bourgy

    May 13, 2010

    When I try that link it redirects to my 404 page.
    Any other way I can get the listing?

  2. Anonymous

    May 14, 2010

    If you get a 404, it could mean you don't have it. I checked on my site and also got a 404, then I double-checked with FileZilla and putty and there was no directory by that name (nor any other hidden directory) in my case on my site. Whew.

  3. Bourgy

    May 14, 2010

    Oh well that's good news; sorta.

  4. UIU THEATRE

    May 22, 2010

    Truth. Even though many times I am trying to get visibility I always take time to read the post and make an intelligent comment…or else I don’t post.

  5. Webdesign oslo

    November 15, 2011

    I had the same problem as described. I had to reinstall the whole server because I didn’t know how to fix it. I wish I have seen this article before.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.