In Jetpack, dealing with different types of network threats and attacks is part of our daily work. In most cases, its scope ranges from collecting malicious documents and searching for attack medium, to providing help from the latest backup recovery website. But sometimes we enter a different dimension of a truly creative attack, an inexplicable re -infection dimension -we enter … Twilight District.
Okay, I might be too dramatic, but please wait patiently to set the scene for this mysterious story. get ready? Please set foot on the journey of ghosts, spam and search engines with me.
malicious behavior
We found that a website was attacked by a very interesting attack. It first appeared as an email sent by the Google search console: an uncommon URL (and it looks very suspicious, there is a clicked URL in it) is listed as the fastest -growing page.
The fastest pages of Google search engine tools
The website of the website is a bit unhappy, because such behavior is usually infected As a result, Jetpack did not detect or warn them. In addition, when they checked, these pages did not even exist on the website, but they were indeed by Google anyway. Twilight zone intensified .
When we check any suspicious files that Jetpack SCAN might miss (without security tools detected 100% The threat), things are even strange. WordPress core and plug -in are intact: there are no files or scripts in the database. Some outdated plug -in without any security repair, WordPress lags a version (5.6), and the latest update does not list any major security repair. There is no suspiciousness at all. There are no usual suspects, no evidence of attack; no, anyway.
The next logical step is to check the visit log. Maybe it can reveal this mystery. Will we find that we are facing a zero -day attack, or we finally find a proof of multiple universe theory, and this website is only infected in Universe #1337? To the log!
The request of this strange spam It seems that Bing also likes it … but why?
As you expected: There is nothing strange, except for a bunch of requests for these spam pages, as you see in the screenshot. They all returned \”200 OK\”. So, the page exists somewhere in time and space continuous body, or … wait … have you seen it now?
All these pages are pointing to the same position: `/s \u003d`, which means that the search engine (Google noticed this problem, but request from Bing) is indexing the search results page. So why? As far as we know, crawlers will not search on the page, right?
Index Paradox
If you are engaged in website business, the basic knowledge of how search engine works is quite simple. There is a robot (or automated script) that can capture web pages, index items, execute some magic, and store queryable resources in a certain position in the cloud.
Considering this, we have made more excavations to the logs to see if there are any other clues in these requests, such as referring to the source website, but there is no luck at all. All recorded requests come from search engines. Fortunately, the Google search console has a reference page in one of the logs.
Google’s Search Console tool provided us with some tips. Now I think it is time to replace our Twilight Zone hat with a CSI hat and dig some websites bones under the microscope.
For the trained person, it is easy to see that the reference page URL belongs to the infected website Fortunately, we have well -trained eyes! `Index.php` directory is meaningless, maybe added to confuse the website owner. Next is another random directory and a random name PHP file. This may be a loading program that is obtaining the final effective load: `Cargese4/CCA442201.htm`, which is also random. All these are the characteristics of linked farm malware infection.
Quickly search on Google to view the index content of the reference site, confirm that it is indeed infected and provided SEO spam for a period of time. This website is provided for a food company in India, but it provides SUV transactions in Japan—— Yes, that is spam.
Search for query with Japanese spam on the Indian website.
However, no result links to our friend’s website, so I decided to find out whether other websites are affected by the same strange behavior.
In order to find more victims of this spam attack, only for education Objectives, we use our Google-Fu knowledge to make a search query that will return a website ending with .edu. The URL has the term \”purchase\” in the title. We got 22 results. This is enough for our hunting.
Use the .edu and .gov website to check the spam infection and filtered out the domain (such as .com) created only for link farms.
The site of this proof is not the only affected site; this seems to be a more common problem. We thought about what to make Google into the index. How did Googlebot come into contact with them? Next: Reverse link checker.
The result of the reverse link check
There are several online tools that can provide reports on the websites reverse links; we are here here; Ahrefs is used in the project, but other tools may reach the same result. As a result, some malicious search pages were listed to confirm that we were on the right path.
Select one of the websites to check what the occur Just as you see in the next screenshot (they should check Jetpack Anti-SPAM). Each comments are linking to the website search page containing spam in the query.
Comments linking to spam
Catch the white rabbitAs I mentioned earlier, Search engine robots will not perform query on the website page. However, if it finds a link to it, it will be tracked. If the page does not tell the automated script, a specific page cannot be indexed, it will add it.
Ye Olde injected spam
This is a clever method for \”injected\” spam on the website, which is used to send spam to the search engine results and save effort through effort to save efforts through effort. Link farming to improve the ranking of the website page.Since we understand this problem, how do we tell the search engine robot to avoid the link to the search page (or just refuse to compile them into the index)? The best way is to change WordPress Core, which will help protect the entire community (if you want to report errors or contribute code, please join us).
In order to avoid some unnecessary rework, we checked WordPress Core Trac and found that the problem was 5.7 5.7 The version has been resolved, but unfortunately it has not appeared as a security issue in the update log. I will quote the author, he better describes this problem than me (thanks to Abagtcs’s report):
Internet garbage sender has begun to abuse the search function of these websites By passing the spam term and host name, I hope to improve the search ranking of the spam sender website.
Substander senders place these links in open Wiki, blog reviews, forums and other links, rely on search engines to capture their link Essence
This kind of attack is unexpectedly extensive and affects many websites around the world. Although some CMS and websites supported by customized code may be easily attacked by this technology, according to preliminary surveys, it seems that -at least in the .edu field -the most targeted network platform so far is WordPress. \”
When the largest website on the Internet is more than 41% of the website is the WordPress website, this is also the same Not surprising. Conclusion You can learn from this incident:
The URL displayed on the popular growth page did not get very good Clean up, so the spam URL that you see is separated by the emoji can actually be clicked directly (Hi, Google friend, that’s yours); unwavering users can click on them and visit the unnecessary content. [123 123. ]
Google needs some adjustments to avoidIncorporate obvious junk pages into indexes.According to the tool report, some clear pages were arrested and did not be indexed, and spam were added.
The attacker even uses the smallest loopholes on your system, we must always be vigilant.
Always listen to people’s opinions and understand their problems.If we only check the logs from our own tools, we will not realize this problem and cannot help repair their website.
Keep your software latest.always.
At JetPack, we strive to ensure that your website is exempted from the impact of such vulnerabilities.To take a step ahead of any new threat, check the Jetpack Scan, including security scanning and automatic malicious software deletion.
to
Erin Casali ,,,,,,,,,,,,,,Thanks to him to emphasize this issue and help the investigation.
The request of this strange spam
It seems that Bing also likes it … but why?
Catch the white rabbit
This is a clever method for \”injected\” spam on the website, which is used to send spam to the search engine results and save effort through effort to save efforts through effort. Link farming to improve the ranking of the website page.