Back in December of last year I found that there had been a page added to my website by a malicious robot and had some fun exploiting the fact that hundreds of people were clicking on fraudulent search engine results. Sure enough, last night it happened again, but unlike last time, I found out WHY it happened.
Unknown to me, on three different websites of mine, there were folders that had incorrect file permissions. Generally speaking, each file and folder on a website has its own set of permissions which allow different users different levels of access. Nearly all of my files and folders have their permissions set to 755, which allows me, and only me, the ability to change the contents of the folders on my website. However, today I discovered that three folders on three different websites had their permissions set 777, which means that ANYONE could write files to these folders. The result was that a malicious robot exploited this lack of security and wrote their own files to my websites.
I found out about this from a random person who informed me that there was a page on my website that was sending people to a page that forces people to download a fake virus scanner that I can assume was rouge malware. I contacted my hosting provider thinking that my website passwords were compromised and the tech support responded with a listing of all the folders on all my websites that contained 777 file permissions.
From there, I went to each of these folders and looked around for the newly added malicious files. Instead of merely deleting the files, I opted to do what I did last time, and replace the malicious code with my own basic HTML file. The result so far has been over a 2,000 people clicking on the fake search results and being brought to a landing page like the one above telling them they should try searching again.
I must say that their hack is pretty simple, but also rather sophisticated. I would not have realized that I was being used to help spread malware unless that person had notified me. They work by using a HUGE list of basic words, then they dynamically create hundreds of new pages that feature the keywords. Finally, Google’s own robots visit the page and enters the hundreds of fake entries into their database. The beauty of this process is that evil geniuses behind the code use one PHP file to dynamically generate hundreds of fake pages that all draw people to their webpage— and now they are coming to my website instead.
Throughout this week I am going to continue to monitor this discovery and analyze the code that was used to generate these pages.
Here is an example of a bad search result from Google:
My page just so happened to be the only page on the Internet with those exact words.