While defacing websites is a quick way for a black-hat hacker to get his name out there, if you want to make some quick cash instead, it’s much better to remain undetected. This hacker was able to do just that and not simply to some obscure, user editable page of a rarely visited site, but to many pages of a major U.S. University, including its department homepage, a U.S. goverment website, and at least two other important organizations. He has remained undetected for at least two weeks (likely much longer) until now.
Hacked sites – the evidence:
Examine the last part of the source code for:
- http://www.music.uga.edu/ (University of Georgia School of Music homepage) and many other pages on this server, ex. http://www.music.uga.edu/degree_programs/undergrad/
- http://www.srs.fs.usda.gov/customer/ (USDA Forest Service Comments Info) and many other pages on this server, ex. http://www.srs.fs.usda.gov/history/index.html
- http://www.sanch.org/ (South African National Cultural Heritage Program)
- http://www.h-net.org/ (Humanities and Social Sciences Online)
As might be expected, these websites are all ranked as quite important in Google with PageRank of 7 or 6. These pages were served in their hacked form for at least two weeks according to various search engines’ caches. The Internet Archive shows that they were unaffected before May, 2006. All four of these servers are running Apache. The last two appear both to be hosted at the Michigan State University (msu.edu).
Hacker’s sites (visit at your own peril!):
phonespell.info, animalnames.net, dspse.com, dictionarypage.info, simpleacronyms.com, quotationsdot.info, rfcrepository.com, difficultwordsinfo.com, usazipinfo.com, geopageslist.com, quoteslist.net, englishwordsinfo.com, computerwords.info.
Most of them appear to be wholesale copies of legitimate website with spam links added. Their whois records share a common email address (fish_ka@inbox.ru) and a common name (Alex Beliy). They have several different U.S. addresses. They have been registered on various dates through Go Daddy. They use DNS servers at sght.com. Their IPs are all within the same range: 216.195.47.197 – 216.195.47.218 (likely a dedicated server with many IPs). They appear to be hosted at APS Telecom in Portland, OR. A Google search brings up reports of previous spam. I cannot for sure only credit the hidden links, but the spam domains currently have no problem being ranked and having 100,000s of pages indexed in both Google and Yahoo!.
