Being Hacked by SEO spammer is seem like a yearly events at Mattheaton.com. Matt’s WordPress blog was first hijacked 2 months ago on 26 November 2007 (according to my record). You can digg my earlier post at → Matt Heaton BlueHost HostMonster CEO Official Blog Hacked.
It’s a big embarrassment for bluehost & hostmonster hosting to have their CEO’s blog being spamride every year (since 2007) . Drilling Matt Heaton’s with bad ads wont solves the Blackhat Spam issues, I will left that particulars part to my readers to speculate.
Mattheaton Goro Spam Chronology
| Date | Event |
|---|---|
| Jul 2007 | Google PR 7 |
| Aug 2007 | Stop being Index by archive.org |
| Nov 28th 2007 | Wordpress.net.in Goro Spam on wp_footer backlink to howardowens.com |
| Dec 4th 2007 | Unknown Goro Spam on wp_head backlink to tangonoticias.com |
| Dec 11th 2007 | Wordpress Upgrade to version 2.3.1 |
| Jan 16th, 2008 | Google PR5 |
| Jan 26th, 2008 | Unknown Blackhat SEO spam on wp_head backlink to brainwave-india.com |
| Feb 3rd, 2008 | Unknown Blackhat SEO spam on wp_head backlink to thinkingphp.org |
| Feb 8th, 2008 | Unknown uusing CSS cloacking method on wp_head backlink to zoorender.com |
| Feb 13th, 2008 | Unknown using CSS cloacking method on wp_head backlink to blog.jensfranke.com |
| Feb 20th, 2008 | Unknown using CSS cloacking method on wp_head backlink to entrepreneur27.org |
| Feb 24th, 2008 | Unknown using CSS cloacking method on wp_head backlink to latenightpc.com | Feb 26th, 2008 | Unknown using CSS cloacking method on wp_head backlink to communitynext.com |
Wordpress.net.in GORO Spam Pattern
- All the infected sites will stop being index by archive.org few months before the spam started.
- From Nov 2007 to Jan 2008 (Right after Google Mass P3 De-rank fever) - The Blackhat Goro Spammer is targeting PR6 & PR7 sites running on WordPress (2.3.1 below) and on some rare case (tangonoticias.com) Joomla CMS (1.0.x)
- I categorize this blackhat method as Sybil Attack
A Sybil attack is one in which an attacker subverts the reputation system by creating a large number of pseudonymous entities, and using them to gain a disproportionately large influence. A reputation system’s vulnerability to a Sybil attack depends on how cheaply Sybils can be generated, the degree to which the reputation system accepts input from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.
- Derank and manipulate their victim host to boost their pharmaceutical products on Google Local Search Index (gaming Localrank for better SERP)
- Goro signatures:
- html div with id “goro”
<div id="goro"> <a href=">...</a> </div>
- javascript function name “getme()”
<script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script> - Output spam on WordPress wp_footer & wp_head hook
- html div with id “goro”
Blackhat SEO Spamdexing Google Local Search Index
The below graph explain the Blackhat SEO Spamdexing methods for Manipulating Google Local SERP.
View Spamdexing Google Local Search Image
Note: A blackhat at hoqwarts ;)
ScreenGrab
- mattheaton.com Jan 28 2008 (1009 x 6576 pixels)
- brainwave-india.com Jan 28 2008 (1016 x 2306 pixels)
- Google Local Search Jan 28 2008 Spamdexing Results
- stc-israel.org.il Jan 28 2008 spamdexing page (hidden text)
- stc-israel.org.il Jan 28 2008 spamdexing page (text reveal)
Recent Update
- Feb 1, 2008 - we send a letter to matt@bluehost.com regarding this issue. Still waiting for his replies
- Feb 3, 2008 - The Blackhat Goro Spammer change their target spamhost from http://www.brainwave-india.com (PR6) to http://www.thinkingphp.org (PR6) - Felix Geisendörfer.
<div id="goro"><a href="http://www.thinkingphp.org/?read=796 ... prescription</a></div><script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>thinkingphp.org blog is running on WordPress 2.3.2. We send him email regarding the Goro Spam hijack.
- Feb 8th 2008, There is no signature of Goro spam (tag with id goro) on Matt’s blog the blackhat is now using Inline CSS Position Overflow to hide the spams links ↓ redirect to zoorender.com (PR6).
<div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.zoorender.com/?discount=1776">buying .. </div>
- Feb 13th 2008, Same methods as above (inline css cloacking) .
- HTML Code shown to a Regular Browser → 32,246 characters
- HTML Code shown to Google Bot → 34,646 characters
redirect to blog.jensfranke.com (PR7).
<div style="left: -2227px; position: absolute; top: -3337px"><a href="http://blog.jensfranke.com/?read=606">buy generic fi
- Feb 20th 2008, CSS Cloacking redirect to http://www.entrepreneur27.org/ (PR6).
<div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.entrepreneur27.org/?more=1591">bad side effects of viagra</a> <a href="http://www.entrepreneur27.org/?more=1592"> ... </div>
- Feb 24th 2008, CSS Cloacking redirect to http://www.latenightpc.com (PR5). mattheaton-com-022408-source.txt
- Feb 26th 2008, CSS Cloacking redirect to http://www.communitynext.com/ WordPress 2.3.3 (PR6). mattheaton-com-022608-source.txt
Related Posts
- How to Removed wordpress.net.in Spam Injection
- Matt Heaton BlueHost HostMonster CEO Official Blog Hacked
External Links
- Bluehost & Hostmonster CEO’s Blog
- National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
- Wikipedia → Spamdexing
- pseudo-flaw - more random wordpress blogs owned by seo spammers
One Response to “Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II”
[...] on that is the blog of Matt Heaton, the Bluehost and Hostmonster CEO. The Kakkoi website provides a good account of what has been happening there. At the time of writing this post, the blog is still hacked although you would not know by looking [...]