It is not over – SEO Spam on sites infected

Did your site got hacked on the last 3 or 4 weeks? If it did, you may still have some things to clean up.

We lately started to notice in a lot of sites that we have been fixing a “.files” directory full of spam links on them. We initially thought it was some isolated incident, but then it became more often and we decided to put our scanner to work to see how many we could find.

So far, we got a list with more than a thousand sites with that (to be exact, 1,125 sites so far). These are just sites we have scanned on the last few hours, so the number is probably way bigger. Also, in our list we have sites from all major hosting companies and all web applications. So nothing specific to one company/tool.

How to find out if you are still infected? Via FTP, just list the .files directory on your web root:

.files$ ls
1 in 5 divorces refers to facebook.html
2000 year old man.html
2009 kennedy center honorees.html
2009 pro bowl.html
..
2009 pro bowl roster.html
2009 pro bowl selections.html
2010 nfl pro bowl selections.html

You will see hundreds of files in there. Via a browser, just visit http://yoursite.com/.files/

If you see a directory listing full of links you don’t know about, it means that you are still infected.

For people using our scanner, it has been alerting about that since a little while, so you were (or will be notified) soon.

Now, you ask me. Why were these files added in there? They are being used as a SEO Spam tactic to increase the page rank of the attackers sites.

They are used in conjunction with this code: MW:SPAM:S2 where it reads the content of the file only if it is being requested by a search engine:

function get_page($key){
 $f_n=".files/".$key.".html";
 if (@file_exists($f_n)) return @file_get_contents($f_n);

Code to check if it comes from a search engine:

$ip=sprintf("%u",ip2long($_SERVER["REMOTE_ADDR"]));
if (($ip>=3639549952)&&($ip<=3639558143))$searchengine=1; //GOOGLE (216.239.32.0-216.239.63.255)
if (($ip>=1123631104)&&($ip<=1123639295))$searchengine=1; //GOOGLE (66.249.64.0-66.249.95.255)
if (($ip>=1089052672)&&($ip<=1089060863))$searchengine=1; //GOOGLE (64.233.160.0-64.233.191.255)
if (($ip>=1078218752)&&($ip<=1078220799))$searchengine=1; //GOOGLE (64.68.80.0-64.68.87.255)
if (($ip>=1078220802)&&($ip<=1078222031))$searchengine=1; //GOOGLE (64.68.88.2-64.68.92.207)
if (($ip>=1087381508)&&($ip<=1087382952))$searchengine=1; //GOOGLE (64.208.32.4-64.208.37.168)
if (($ip>=3512041472)&&($ip<=3512045567))$searchengine=1; //GOOGLE (209.85.128.0-209.85.143.255)
if (($ip>=1113980928)&&($ip<=1113985023))$searchengine=1; //GOOGLE (66.102.0.0-66.102.15.255)
if (($ip>=1208926208)&&($ip<=1208942591))$searchengine=1; //GOOGLE (72.14.192.0-72.14.255.255)
if (($ip>=1249705984)&&($ip<=1249771519))$searchengine=1; //GOOGLE (74.125.0.0-74.125.255.255)
if (stristr($_SERVER["HTTP_USER_AGENT"],"msnbot")||stristr($_SERVER["HTTP_USER_AGENT"],"Yahoo"))$searchengine=1;
if (stristr($_SERVER["HTTP_USER_AGENT"],"via translate.google.com"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google WAP Proxy"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google CHTML Proxy"))$searchengine=0;

Now, If a normal user visits it, they are just redirected to cnn.com and won’t really notice something wrong with it.

Clean up:

If you have this .files directory, go ahead and remove it. Also, search your main directory for a PHP file (random name) with a big base64 string. Go ahead and remove it as well.

*If anyone want the lists of sites (for research purposes only, let me know).

**btw, that has nothing to do with GoDaddy. On my list we have sites from all major hosting companies.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.