Mass ZA hack on outdated CMS websites

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
153
Any business, municipality, webservices provider for clients, web designers with clients - this is for you!

Please check your websites. Recently the South African IP range has seen a visit from malicious parties hacking sites with outdated CMS systems. In the process links were planted on numerous websites linking to East Asian mobile websites.

These links are not visible by looking at the web page. However looking at the source of the page shows these links quite clearly.

To see the raw source code:
  • FireFox = press "CTRL" and "u" keys simultaneously
  • Google Chrome = press "CTRL" and "u" keys simultaneously
  • Internet Explorer = press "CTRL" and "u" keys simultaneously
  • Safari = See here

Typically, look at all the links, looking for something like "<a .... href="http://some-website-address" ...>Some wording..."

This is how the injected links look:
aSlXf3S.png


Make sure you know where all links are going to and that they should be in your websites. Normally you only have to check your index page as the infected module is common to all the website pages.

As far as can be established, the hacks are linked to outdated CMS (Content Management System) software like old Wordpress and Joomla! installations. Our East Asian hackers had a field day.

This is also a reminder to check with the company managing your company website to ensure they are actually "managing" it, regularly updating it to avoid these issues. Imagine having a HSBC, Standard Bank or similar website hidden on your company website, stealing people's money. It happens daily on the internet. It also affects the very purpose you have a website, to attract business or keep in communication with your clients. If you get tagged by the malware vendors or the likes of Google as being malicious, business simply does not happen via it. Your rankings also drop to 0. Your potential visitors see a nasty warning that there is danger ahead. This is how users see your website:
http://blog.sucuri.net/2012/07/google-blacklist-warning-somethings-not-right-here.html

Any data on your website like client lists and other personal information may be stolen.

Embarrassing and oh so sad.
 
Last edited:

nand

Senior Member
Joined
Nov 2, 2012
Messages
742
Also sign up for Google Webmaster tools. They do proactive checking and inform you of these things.

They try to help protect your website from getting a bad reputation. They also provide a "safe period" where they give you time to rectify the problems on the website.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
I don't see how this can increase pagerank as GoogleBot would flag link-schemes like this and not award any PR. Joomla, Wordpress and bulletin software get hacked regularly and in most cases it is for affiliate traffic (which is not the case in this scenario). You can see the extent of the hack via Moz for example - http://moz.com/researchtools/ose/domains?page=1&site=http://bizgia.net/ (i.e. in this example 700 ZA domains hacked with 60,000 links)
 

envo

Expert Member
Joined
Jan 14, 2014
Messages
3,263
I don't see how this can increase pagerank as GoogleBot would flag link-schemes like this and not award any PR. Joomla, Wordpress and bulletin software get hacked regularly and in most cases it is for affiliate traffic (which is not the case in this scenario). You can see the extent of the hack via Moz for example - http://moz.com/researchtools/ose/domains?page=1&site=http://bizgia.net/ (i.e. in this example 700 ZA domains hacked with 60,000 links)

You would think that, but no. Take what Matt Cutts say with a little grain of salt.

Their spam team are usually a few steps behind and by the time they catch up, the guys have made their money
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
You would think that, but no. Take what Matt Cutts say with a little grain of salt.

Matt who? I have honestly given up on being a lemming for Google. It is insane what some companies go through, just because Matt says "Jump" and they ask "How high?" (latest case in point is the non-sense around HTTPSing all content "to be safe" - my point is, that if you don't create backdoors for the NSA, you would not have to run double-standards).
 
Top