Paid Advertising
web application security lab

Hacked .EDU Sites Used For SEO

I’m sure this is old news to some people but it’s the first time I’ve seen it show up in my logs before. In the last twenty four hours three different hacked .edu domains have shown up in my logs., and have all been at least somewhat compromised where the domains now host spam sites. Not so good.

Clearly the administrators of their domains have got some work to do to secure their sites. But it does cast some doubt on the “good” and “bad” domain concept. When a good domain goes bad, is it breakout (intentionally getting a good reputation and then converting to be bad) or is it spam? Either way, it’s clearly bad, but what to do about it? Do you blacklist the pages or the whole domain? That’s gotta make life a little harder for the search engines that try to stay away from spammy domains. Perhaps reputation and link popularity is a bad model afterall.

3 Responses to “Hacked .EDU Sites Used For SEO”

  1. Paul Schmehl Says:

    Interesting results from a google search of “Additional Articles Related to” AND “order cialis”.

  2. RSnake Says:

    Whoah. Here’s what I found (for those who don’t get to see it if/when Google takes it offline):

    It’s sort of a mixed bag of servers and configs (haven’t run nmap against them and who knows if they have some other webserver exploit):
    Server: Apache/2.0
    Server: Apache/1.3.29 (Unix) PHP/5.0.5 mod_ssl/2.8.16 OpenSSL/0.9.7d
    Server: Apache/2.0.51 (Fedora)
    Server: Apache/2.2.2 (Fedora)
    Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8d DAV/2 PHP/5.2.0 mod_pubcookie/3.3.2b
    Server: Apache/1.3.33 (Unix) PHP/4.4.0

    Firstly, it’s surprising Google is actually indexing this crap, and secondly, it’s amazing that so many .edus have been compromised.

    Btw, for anyone trying to post here about this, don’t use the magic drug words, most of them are blocked and I won’t even see your comments.

  3. bill Says:

    if you want something interesting, search “″

    I keep seeming to find a defacer going by the name aLpTurkTegin behind many of them.