As you have probably seen by now, a few SEO blogs have been hit by a hacker going after a wordpress exploit. He got Wolf-howl, stuntdubl (still down), and boogybonbon.
Here is the Coverage on threadwatch.org and ha.ckers.org.
True, the SEO blogosphere is a bit of an echo chamber but a little hacking /defacement is not more interesting than when that Polish girl got 4 billion plus pages indexed; pull something like that off and you have a real accomplishment.
AJAX has built in security features to prevent cross domain requests. This creates a problem for enthusiastic web developers that want to create certain robust web applications (like mashups). The solution? Hack up AJAX to do what you want by removing those annoying security features.
That’s the rout that many gung-ho web developers have gone . . . including Google.
But hold on a second! Weren’t those security features built in for a reason? Like for, umm, security or something?
This issues is tackled in Gnucitizen’s article, Google Search API Worms:
Google, one of the biggest AJAX evangelist today, provides JavaScript APIs to allow developers to mashup their services with Google’s enormous capabilities. As a result Google unconsciously enables various types of worms to craw and exploit the web.
Web worms can use Google’s infrastructure to propagate. If a malicious mind finds a vulnerability in WordPress for example and this vulnerability allows SQL Injection, a worm may be written to craw blogs in search for this vulnerability and embed itself into everything that is vulnerable. Once a user visits an infected blog the worm starts another cycle.
Another worm might be able to craw random sites and run generic Cross-site Scripting and SQL Injection checks and send the results to their master who will use them to release more advance worms.
It hasn’t happened yet but it appears to be vulnerability according to Gnucitizen. One worm we covered on seoblackhat was the sammy myspace worm.
Also, I like the Icon that Gnucitizen uses for Google; “The Google Grid” shot is taken from the famous Googlezon video. Good stuff!
SEO Egghead has created a security tool to scan your web pages to check for Cross Site Scripting / HTML injection vulnerability.
It’s not designed for you to scan every site on the net. It’s more for checking select pages . . . probably because he doesn’t want his servers to assplode!
Rsnake has found someone using the Google Redirect to phish for Ebay accounts:
Well it’s official and no longer just conjecture. Google’s redirection hole is now being used as a phishing redirector. I don’t know how anyone could reasonablly argue that this isn’t a problem now. It’s not me just spouting what could be or what might be, this is actually happening.
He then shows the urls that is being used in spam emails to trick people into giving up their Ebay Account info (phishing).
Seriously, it’s past time for Google to act on this. Google should have been on this faster than . . .
Some e-mail spammer thought it would be funny to use my domain as the reply to in a series of emails spams that are going out today. Obviously i’m concerned because I don’t want to be on any spamming list (heh email spamming anyway).
I’m recieving hundreds of “out of the office replies” per hour. Does anyone know how to combat an attack like this?
I need help . . . badly.
Supper Aff has documented a discussion at Getpaid forum of hundreds of people on the topic of click fraud.
The twist is that they’re not talking about how to prevent it or whether or not it is a problem. The discussion is more like:
For a search to qualify as valid these 2 steps must be followed:
1) Click a search term, word or phrase on the portal or parking page and let the results page fully load.
On portals with search boxes you may also enter a search term, word or phrase of your own.
2) click a result and let the page fully load.
You may click up to 3 results from one search without going over search limits. After following these 2 steps you have completed a valid search.
Yeah, as the membership Rises at a profit sharing site, the share lowers, that’s how they go.
In this light, the ‘forced search’ site, is a superior variation of the basic model.
ptr is Extremely well suited to ripping off ppc/cpc. Megabucks in it too…
I do not see what all this crap is about. Wah I have to make a search *sniffles* grow the hell up ######. That’s what we get paid to do. If you don’t search, you get fractions of pennies. Who wants that?
0 iframes now contain over 100 auto searches where they used to contain only two or three. Ever wonder why this is happening? It’s crumbling fast, they’re getting caught faster, the bids are drying up faster.
and hundreds more.
Of course none of this matters because click fraud is largely irrelivant, the perfect ecconomic solution is to just let it happen and click fruad is not at all rampant.
Well, well. Somebody has managed to hack Myspace.com with a flash based redirect that exploits what is apparently a gaping wide hole in the Myspace code. If you are signed into Myspace, and you go to a friends page, and then find yourself redirected to a blog post containing a diatribe about how the United States government is behind the 9/11 attacks, then your account has been hacked, and everyone who visits your page will be infected!! Yes, it’s true, at least for now - everybody who visits an infected profile while signed into their Myspace account will have their page hijacked!
Update: Explanation of how the Hack works.
Tired of getting your content stolen from your RSS Feed and reposted on splogs? Here is a simple solution for you. I was inspired by RSnake to add some code to my .htaccess file to stop some of the people from scraping my feeds and will show you how to do the same.
Basically, all you need is the IP address of whoever is stealing your feed and you can deliver whatever content you want to them. One way you can get it is to “ping” the site - go to a DOS prompt and type “ping spammersite.com”. It’ll spit out the IP for you. Traceroute (tracert) will also work.
In my case, I just redirected any instance from their IP address back on their own feed. I’m not sure yet, but this may cause a loop in there server to post things over and over again.
If you want to delivery any kind of custom content to a specific IP address, you just need to add these 3 lines of code to your .htaccess files.
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^69.16.226.12
RewriteRule ^(.*)$ http://newfeedurl.com/feed
Where 69.16.226.12= the IP address you want to send to and http://newfeedurl.com/feed is the custom content you want to send them.
You can always test what content will be delivered by changing the IP address to that of the machine you are working on. You can check your IP Address here.
You can be as creative as you wish with what you feed them. You can even use them to blog and ping for you if you like. The possibilities are endless.
So why is a site about Search Engine Spamming teaching people how to stop thier content from being splogged? Because I am a dirty link whore and this is the kind of thing that people like to link to.
It might even be the type of story that people like to Digg.
Hilarious. Some dumbshit thought it would be a good idea to scrape content from RSnake at ha.ckers.org.
I’ve got to think this is just some sort of dumb joke, but that would be way too smart. No, this is just stupidity. So anyway, it was fairly trivial to figure out who was ripping my RSS feed. So it took me a few seconds to modify my document management system to do some IP delivery to the moron, and a few seconds of searching on the web for some nice prescription drug spam and poof! His site now looks like a bad spam doorway page and will continue to do so even more so with every post he indexes.
Not to mension he is registered with Godaddy. I won’t even start with the trouble you can get into when spamming from a Godaddy registered domain.
Nice work Rsnake.
Zdnet is reporting that Google CEO Eric Schmidt has the perfect ecconimic solution to click fraud :
“let it happen.”
Well, yea, that is a perfect ecconomic solution for Google. Every fake click is extra money in their pocket. And he is correct that the market will work out the correct price to include click fraud. The only people that get screwed are the publishers and people who send real clicks - (like search engine spammers!).
If this is Googles policy on click fraud, then I may have to rethink my anti click fraud stance. After all, if it is cool with Google, it can’t be evil. Why should I be the only sucker left out there who thinks click fraud is wrong?
To summerize: SEO Black Hat, The site that people love to hate for its “immorality”, is against click fraud while the CEO of “don’t be evil” Google says “Let it Happen.”
Hat tip to Threadwatch.
