Slashdot Mirror

← Back to Stories (view on slashdot.org)

Doorways Sneak To Non-Default Ports of Hacked Servers

Posted by timothy on from the buncha-jerkfaces dept.

UnmaskParasites writes "To drive traffic to their online stores, software pirates hack reputable legitimate websites injecting hidden spammy links and creating doorway pages. Google's search results are seriously poisoned by such doorways. Negligence of webmasters of compromised sites makes this scheme viable — doorways remain unnoticed for years. Not so long ago, hackers began to re-configure Apache on compromised servers to make them serve doorway pages off of non-default ports, still taking advantage of using established domain names."

2 of 63 comments (clear)

  1. Re:Are we finally using the term "pirates" correct by adolf · · Score: 4, Funny

    Piracy is well established as to mean copyright infringement. I don't think we should confuse the issue by labeling much worse things (i.e. these hacker peoples) as piracy

    Ob-1999: I think you misspelt "cracker."

    --
    Kid-proof tablet..
  2. Here's an example break-in. by Animats · · Score: 5, Informative

    Here's a typical break-in, at University of Oakland.. This has a good search position in Google for "64 bit Windows". This leads to a software-for-sale page with phony seals of approval from Microsoft, Verisign, etc. That's hosted at Starnet, in Moldovia. The payment site for the sales site is "payment8ltd.net", also hosted on Starnet in Moldovia. They're selling pirated copies of brand-name software at roughly half retail price.

    That site has a TrustWave seal, which pops up a popup for Paym8, a real payment processor in Zaire. TrustWave's seal server doesn't check the referrer when displaying a seal popup, so it can be spoofed. Nor does the TrustWave seal even give the domains to which it applies. Verisign and BBBonline check this, but not TrustWave.

    It looks like the actual payment processing occurs at "https://payment8ltd.net/shop/order/process/"; that's where the order goes on "Submit". The site has one of those worthless GoDaddy "Domain control only validated" SSL certs.

    Starnet presents itself as an Internet and telecom service provider, offering the usual data, voice, colocation, and hosting. Headquarters of Starnet seems to be at Vlaicu Parcalab, 63, Chisinau, Republic of Moldova. That's a property of Flexi Offices, one of those small-office rental places. Interestingly, Microsoft also has an office in that building.

    There's actual Whois information for that site:

    Registrant Contact: Viktor Menshikov
    Viktor Menshikov (loyal@yourisp.ru)
    ul.V.Urdasha d.36 kv.1
    Rakovo, Respublika Tatarstan, RU 422455
    P: +7.8435122221 F: +7.8435122221

    That location exists; it's a farm town about 500Km east of Moscow. Probably not a real address.

    Searching for "yourisp.ru" brings up a large number of scam reports. The domain itself is registered but not in DNS.

    Most of this recent batch of attacks seem to have similar underlying information.