Cat and mouse with a hacker

Clifford Stoll once noticed a hacker breaking into a system he was working on because of a fractional difference in the totals for the timesharing accounts – something like 0.13cents, if memory serves.

Well, there’s a hacker attacking the Free Our Data site (not, apparently, blog), but we’re not on timesharing yet. Detecting what they’ve done is a lot easier: they stuff loads of pharma spam into the bottom of the front page (not, to repeat, the blog front page, nor any of the links).

The spam, which comes after the closing /html bracket, hides itself using “font style=’position: absolute;overflow: hidden;height: 0;width: 0″ and then points to a slew of links at (I’ve nofollowed the link so search engines won’t go there.) However, if you try to access that directory, it’s blank. (Blank via curl too, so there isn’t anything at all.)

But if you try to access one of the links, especially via curl, you find a page that includes the text “Home Page of Eduardo Dueñez” with a load of guff generated by CMS Made Simple version 1.3.1. Hello, CMS Made Simple! Your stuff is used by spammers and scammers! Do you feel happier now?

(The real Eduado Dueñez lives here, by the way – he’s an assistant maths professor at UTSA. Might email him, actually.)

However, closer examination shows that it loads a Javascript (at that then redirects you to its pharma if you are not a search engine.

I’ve found this spam in there and killed it a couple of times, and it’s come back. That’s worrying of course – it suggests that this is drive-by, automated hacking that is done when the links are found to have been removed from Free Our Data, or against some schedule.

So I still have some way to go in discovering what’s going on. There seem to be plenty of other sites out there which have also been hit – so it must be an automated drive-by, at a guess.

But what? There’s a faint possibility that it’s a PHP hack – my own site (here) is unaffected, and uses a bit less.


  1. This happened to me a while back. Glad to say I managed to sort it out. Its very annoying when hacking happens.

  2. Fixed 15 sites from Netherlands with almost the exact same situation last night. It’s almost certain that you have a c99 script on the server that allows the hacker to insert the links

Comments are closed.