Hidden spam links injected into web pages

I have become aware that a hidden list of spam links were inserted at
the end of several of my web pages a few days ago. My web host claims that
my FTP password must have been cracked but I am sceptical of this
explanation. The links pointed to what has now been confirmed as a
compromised computer at uchicago.edu and were then redirected to nudai.com
which has further links to peakpc.com . The links related to phentermine
and other drugs.

A Google search for "how long does phentermine stay in the body" reveals
that a large number of blog sites have phentermine comment spam. However
what I am reporting is HTML pages altered presumably by a script to include
spam links. Is this a new as yet unreported strategy by spammers?

Please check your web pages for spam link injection. The links are hidden
so you must check the source for alterations.

Terry_P <me@privacy.net> writes:

> I have become aware that a hidden list of spam links were inserted at
> the end of several of my web pages a few days ago. My web host claims that
> my FTP password must have been cracked but I am sceptical of this
> explanation. The links pointed to what has now been confirmed as a
> compromised computer at uchicago.edu and were then redirected to nudai.com
> which has further links to peakpc.com . The links related to phentermine
> and other drugs.
>
> A Google search for "how long does phentermine stay in the body" reveals
> that a large number of blog sites have phentermine comment spam. However
> what I am reporting is HTML pages altered presumably by a script to include
> spam links. Is this a new as yet unreported strategy by spammers?
>
> Please check your web pages for spam link injection. The links are hidden
> so you must check the source for alterations.

Web page defacements aren't all that new, but perhaps this is a novel
use for them.

What active scripting are you using on your site (e.g. php?, what
scripts?) ? That's a more likely injection vector than a cracked ftp
password?

--
Todd H.
http://www.toddh.net/

On Fri, 1 Dec 2006 12:10:05 +0000, Terry_P wrote:


> The links pointed to what has now been confirmed as a
> compromised computer at uchicago.edu and were then redirected to nudai.com
> which has further links to peakpc.com . The links related to phentermine
> and other drugs.

Sorry, there was a typo. The spamming sites are nudai.com and peakc.com
(*not* peakpc.com).

Todd H. wrote:
>
> Web page defacements aren't all that new, but perhaps this is a novel
> use for them.
>
> What active scripting are you using on your site (e.g. php?, what
> scripts?) ? That's a more likely injection vector than a cracked ftp
> password?
>

Actually, since regular FTP passwords are all sent in cleartext, it
doesn't have to be cracked, it can be sniffed out. FTP is quite a likely
injjection vector because of that.
A decent webhosting company keeps logs of FTP connections though, so
they should be able to track at the very least connections made to the
web space from IPs different than normal, and that way track the
defacers/crackers and report them to the authorities (it's a crime in
many countries punishable by law). If they don't log, demand they start
logging, or find another hosting company :P

Something you could do instead would be to ask for SFTP access instead
of FTP to update your pages. This way neither the login nor the data
uploaded can be sniffed out.

HTH

MC