Cenzic 232 Patent
Paid Advertising
web application security lab

Hacked .EDU Sites Used For SEO

I’m sure this is old news to some people but it’s the first time I’ve seen it show up in my logs before. In the last twenty four hours three different hacked .edu domains have shown up in my logs. Stanford.edu, UCNE.edu and ISI.edu have all been at least somewhat compromised where the domains now host spam sites. Not so good.

Clearly the administrators of their domains have got some work to do to secure their sites. But it does cast some doubt on the “good” and “bad” domain concept. When a good domain goes bad, is it breakout (intentionally getting a good reputation and then converting to be bad) or is it spam? Either way, it’s clearly bad, but what to do about it? Do you blacklist the pages or the whole domain? That’s gotta make life a little harder for the search engines that try to stay away from spammy domains. Perhaps reputation and link popularity is a bad model afterall.

3 Responses to “Hacked .EDU Sites Used For SEO”

  1. Paul Schmehl Says:

    Interesting results from a google search of “Additional Articles Related to” AND “order cialis”.

  2. RSnake Says:

    Whoah. Here’s what I found (for those who don’t get to see it if/when Google takes it offline):

    www.hcs.harvard.edu
    dasnr5.dasnr.okstate.edu
    abl.med.utah.edu
    biochem.med.ufl.edu
    www.pathology.washington.edu
    www.loyno.edu

    It’s sort of a mixed bag of servers and configs (haven’t run nmap against them and who knows if they have some other webserver exploit):
    Server: Apache/2.0
    Server: Apache/1.3.29 (Unix) PHP/5.0.5 mod_ssl/2.8.16 OpenSSL/0.9.7d
    Server: Apache/2.0.51 (Fedora)
    Server: Apache/2.2.2 (Fedora)
    Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8d DAV/2 PHP/5.2.0 mod_pubcookie/3.3.2b
    Server: Apache/1.3.33 (Unix) PHP/4.4.0

    Firstly, it’s surprising Google is actually indexing this crap, and secondly, it’s amazing that so many .edus have been compromised.

    Btw, for anyone trying to post here about this, don’t use the magic drug words, most of them are blocked and I won’t even see your comments.

  3. bill Says:

    if you want something interesting, search “abl.med.utah.edu/bugzilla-2.16.6″

    I keep seeming to find a defacer going by the name aLpTurkTegin behind many of them.