Doorways on Non-default Ports — New Trend in Black Hat SEO?

A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost. They used quite a standard scheme that involved cloaking (making spammy links visible only to search engine crawlers) and conditional redirects (visitors from search engines who clicked on specifically-crafted links on compromised sites got redirected to online stores of software pirates)

Despite of all my warnings, most of those site are still hacked and help sell pirated software and steal credit card numbers. This negligence of site/server administrators encouraged cyber criminals to step even further in abusing reputation and resources of compromised servers. This post will be about one of such steps.

Regular doorway pages

Usually, when I find hidden or cloaked spammy links on compromised sites, they point to specially-crafted URLs on hacked third-party sites — doorway pages that redirect visitors coming from search engines to landing pages on malicious or illegal sites. To create such doorway page hackers can add URL rewrite rules to server configuration files, or create rogue files and directories somewhere on server. They may even modify existing files so that depending on passed parameters and request headers the server response may vary from legitimate content to spammy pages (for search engine bot) and redirects (for visitors from search engines).

In any of the above cases, hackers have to extend functionality of existing legitimate sites. Such modifications can be detected by diligent webmasters who regularly check site file system for integrity.

New trend

Not so long ago, I noticed a new trend though. Hackers started to create a 100% spammy doorway sites with the same domains as compromised legitimate sites but on different (non-default) ports.

Here’s a screenshot of an Unmask Parasites report that shows spammy links to such doorway sites:

And here are some Google searches that contain links to doorway pages on non-default sites on first page of search results:

• ["buy windows 7 key"]
• ["achat windows"]
• ["buy final cut pro"]
• ["precio office 2007"]
• ["purchase microsoft word"]
• [precio windows starter]
• [where to buy microsoft]

The same approach is used to create doorway pages for sites that sell counterfeit prescription drugs

• ["viagra fr die frau"]
• ["cialis meglio del viagra"]

What are the benefits of this approach?

The trick with non-default ports make doorway pages completely independent from the structure and file system of hijacked sites. This means that:

1. No need to worry about compatibility with host sites. Doorway pages and redirect rules can’t break anything since they are no longer a part of the hacked site.
2. A more clean URL structure can be used. No need to hide doorways in subdirectories. No need to use dynamic parameters.
3. The rogue content can be placed anywhere outside of the host site’s file system (hackers can specify a different DocumentRoot). Webmasters who check website files for integrity won’t be able to detect anything suspicious.
4. Websites on different ports usually write logs to different files. This means that site administrators won’t see suspicious traffic from Google and other search engines when looking through logs of their sites.

As a result, hackers get a solution that is easier to maintain and reuse. At the same time it is less likely to be detected by owners of compromised sites.

On the other hand this approach has its drawbacks. Hackers need more control over compromised servers. It is not enough just to be able to upload and modify user files. To start a web server on a non-default port one needs either root permissions or poorly configured server with many open ports and world-writable Apache configuration files.

Speculation on PageRank

Doorway sites on non-default ports have the same domain names as hijacked established websites. But they don’t automatically get the same PageRank. For example Google’s toolbar shows PR 0 for home pages on non-default ports when real sites have a high PageRank (e.g. PR 7). This means that Google distinguishes similar URLs with different ports numbers.

However, having the same domain name as an established site seems to be beneficial. This probably adds some authority to doorway pages. At least, they rank quite well.

Some technical details

Here are typical HTTP headers when you request doorway pages on non-default ports:

HTTP/1.1 301 Moved Permanently
Cache-Control no-cache, must-revalidate, private, max-age=0
Pragma no-cache
X-ENGINE rx-engine
Location http://topoemsoftware .net/shop/search/?s=windows %257&cpn=www_datamancer_net_soft_ports4
Date Sun, 21 Nov 2010 15:12:10 GMT
Content-Type text/html; charset=UTF-8
Server Apache
Connection close
Content-Length 0

As you can see they redirect (301) to a pirate site (topoemsoftware .net in this case), whose URL contains information about the product targeted by the doorway page (windows 7) and the location of the landing page (www .datamancer .net). Moreover, it says “soft” to specify that the doorway page is a part of a software spam campaign (they also have “pharma” doorway pages) and that it works on a non-default port (ports4). On all doorway sites, HTTP headers of the redirects contain “X-ENIGNE rx-engine” line — probably some engine that implements doorway/cloaking functionality. (I encounter the RX abbreviation quite often in pharma spam — anyone knows what does it mean?)

The analysis of the Server header revealed that hackers use the same web server for their doorway sites on non-default ports as legitimate websites on port 80. In all cases it was Apache (different versions though). This means that hackers don’t install their own web servers. They just configure existing Apache to serve doorway sites off of non-default ports. This usually involves adding Listen port_number and <VirtualHost *:port_number> to Apache configuration files.

This sort of configuration changes can normally be done by someone with root permissions. This fact clearly shows this is not a site-level problem — the whole servers are hacked. And administrators of those servers don’t notice the problem for a very long time …

Some of such servers are dedicated — they only host one or two sites. Other servers are shared — they host hundreds of sites, and each site’s domain name coupled with the port number of the rogue site can be used to access doorway pages (for example, server with 204 .12 .102 .194 (HostMySite) that hosts 150+ domains).

On some servers, hackers configured doorways on multiple alternative ports. For example, on datamancer .net, I discovered rogue sites on ports 5946, 9955 and 57333.

Pirate sites

The pirate sites look almost the same way as they did more than a year ago when I first blogged about them. Just a minor facelift and new domain names.

Domain names that are currently in use, are really new — they all have been registered on October 4th, 2010.

softbuycatalog .com (created 2010-10-04 23:32:22)
softbuy-download .net (created 2010-10-04 23:32:50)
topoemsoftware .net (created 2010-10-04 23:33:08)
cheapsoftwareus .net (created 2010-10-04 23:33:31)
cheapsoftwareus .com (created 2010-10-04 23:33:37)
payment8ltd .net (created 2010-10-04 23:20:27)

Their WHOIS information is most likely forged (different contact details, different cities, and only seconds between registrations).

payment8ltd .net domain is used for payment processing. It has an SSL certificate issued on Nov 16th, 2010 by GoDaddy. However it shouldn’t be considered as a sign of a site’s legitimacy — this certificate only says that it is really payment8ltd .net and nothing more, no information about the domain owners.

They also use a couple more domains paym8limited .com and paym8ltd .net — most likely this way they pretend to be a “Paym8 (Pty) Ltd” company whose “TrustWave Trusted Commerce” seal (not linked to any particular site) they use on their order pages.

All these domains currently point to a server with IP address 195 .80 .151 .115 (United Kingdom Instantexchanger Ltd).

Traffic estimates

According to Alexa, these site started to gain steady amount of traffic right from the moment of their registration.

Since these domains are a part of the same black-hat SEO campaign, you should sum each domain’s traffic to estimate the scale of the problem. I guess, the number should be about 1,000 visitors/day, 30,000 visitors/month. Not that impressive. But I think this maybe only a tip of the iceberg.

This server also hosts many more similar pirate sites that had been registered on different dates:

adobecs4oem .com
adobecs5oem .com
adobeoem .net
adobeoem .org
business-downloads .com
buyoemsoftware .info
buyoemsoftware .us
cheapoemdownloads .com
cheapsoftwareus .net
crystal-downloads .com
cs5oem .com
discountoemdownload .com
downloadroyal .net
excellent-downloads .com
excellent-downloads .net
excellent-software .net
next-downloads .net
next-software .com
next-software .net
oem-collection .net
oemcs5 .com
oemka .com
oemmicrosoft .com
oemsoftwareseller .com
paym8limited .com
paym8ltd .net
royal-quality .net
royal-retailer .com
royal-service .net
royal-soft .net
royal-store .net
royalapps .net
royaldownload .net
royalmicrosoft .com
salesoftware .org
shop4soft .com
softbuy-download .com
softbuy-download .net
softbuycatalog .com
software-master .net
software-reseller .net
software-search .net
softwareoemdownloads .com
softwareultd .com
top-oem .net
top1oem .com
topoemdownloads .net
update-downloads .net
z-oem .com

Negligence of hijacked sites

With little changes, this black-hat SEO campaign is active for a very long time. I guess, for more than two years. What makes it possible is negligence of administrators of reputable web resources.

If you take a look at the list of compromised sites you’ll see many American, European and Australian educational sites (.edu and .ac.uk, including departments of well known universities like MIT, Stanford, Johns Hopkins University), US and Australian governmental sites (e.g. site of Department of the Premier and Cabinet of South Australia), sites of prominent international organizations (e.g. UNIFEM, Catholic League) and prominent Internet resources like Webby Awords, Locker Gnome, etc.

The list almost haven’t changed since my last year article. Last year I tried to contact compromised sites directly and tell them about the problem. In most cases I was just ignored. A couple of webmasters thanked me for the information, told me how they take security seriously but refused to co-operate with me in my investigation and share any information about the internals of the hack. Not surprisingly, these site are still hacked.

To help site admins who can’t detect such problems themselves I decided to publish my list of compromised doorway sites on non-default ports:

1. www.techdis.ac.uk:55555
2. www.datamancer.net:9955
3. www.datamancer.net:57333
4. www.datamancer.net:5946
5. uxnet.org:4433
6. www.watertaxibeach.com:3306
7. honors.rit.edu:8888
8. www.notiuno.com:2525
9. www.nybg.org:7855
10. www2.nybg.org:5533
11. www.gamblincolors.com:55559
12. ttcampus2.com:8080
13. ttcampus2.com:8000
14. webbyawards.com:7000
15. webbyawards.com:5555
16. www.secs.oakland.edu:8080
17. awftokyo.com:60006
18. www.nkeconwatch.com:6680
19. www.nkeconwatch.com:3355
20. www.fortune.binghamton.edu:8080
21. distance-educator.com:8080
22. refbase.net:8080
23. schoolgardenwizard.org:55554
24. nrri.org:8080
25. iadas.net:7777
26. artoflogic.com:2323
27. anti-occupation.org:6666
28. www.kvmr.org:7777
29. www.expressobeans.com:4444
30. authenticjournalism.org:2222
31. www.shirky.com:8888
32. www.cinde.org:8082
33. www.crimepreventionottawa.ca:55558
34. www.shirky.com:7777
35. www.tealgroup.com:4444
36. nrri.org:5555
37. www.saflii.info:5533
38. www.loquatmusic.com:60005
39. narcosphere.narconews.com:5555
40. en.jurispedia.org:8022
41. www.motor.de:2222
42. www.graphic.com.gh:60000
43. www.willwilkinson.net:9999
44. lpbk.net:8890
45. www.cdlmadrid.es:9888
46. www.mechmind.com:3342

Another list of hijacked sites with doorway pages relevant to this article can be found here (almost 200 domains).

To webmasters. (Doorway/spammy links detection.)

Doorway pages on compromised legitimate sites is a very popular tool for cyber-criminals to drive traffic to their shady resources. They work quite well since there are many webmasters who don’t look after their sites and can’t detect this sort of breaches.

If you don’t want to help hackers make money abusing your site resources, you should know how to detect doorway pages and spammy links on your site. Here are some tips:

1. Register your site with Google Webmaster Tools and regularly check “Search queries” and “Links to your site” reports. Irrelevant queries and suspicious links should require additional investigation.

2. Regularly conduct [site:your-site-name.com] searches (replace your-site-name.com with the domain name of your site). Check web pages indexed by search engines.

3. If your site contains many pages (hundreds or even more), try to narrow down site: searches adding popular spammy keywords (e.g. generic viagra, cialis, pills, casino, poker, mortgage, cheap loans, discount, porn, photoshop cs4, and other so called 3 Ps keywords)

4. If you don’t normally use the above spammy keywords on you site, consider creating alerts for site level searches with those keywords (e.g. [site: you-site-name.com generic viagra])

5. Use “Fetch as Googlebot” tool in Webmaster Tools to find out what Google sees when indexing your site. This tool can help reveal cloaking.

6. You can also use Unmask Parasites online tool to check your web pages for hidden spammy links and cloaking issues.

7. Consider some sort of integrity control for your site files on server. A version control system can help you detect unauthorized changes to your files and revert them to their original state.