Mass Compromise of IIS Shared Web Hosting for Blackhat SEO: A Case Study

This case study studies in great detail a recent breach of a shared webserver running Microsoft IIS. We describe how to detect the intrusion on a particular GoDaddy-hosted webserver controlled by the authors. We review a recent mass compromise of IIS shared hosting to provide context for the case study. We describe how the attackers have used the compromise as part of a larger blackhat search engine optimization (SEO) campaign. We then locate the hacker's backdoor into the server and proceed to deobfuscate the malicious script. Once deobfus- cated, we explain how the attack operates and link the attack to websites promoting counterfeit goods. We developed a program called the 'Link Spider' to recursively crawl all malicious URLs and scripts placed on our server collecting any associated websites which are connected. We examine the links gathered by the 'Link Spider' to determine the top name brands being solicited by the hackers. Next, we research the hacker's counterfeit good storefronts and describe how the counterfeit goods supply chain operates at various stages. We next examine China's role in the counterfeit goods websites reviewed, and the role of various web hosting companies which act as safe-havens for these illegal storefronts. We show that some of these companies and web hosts participate in the sale of online pharmaceuticals as well. We also estimate the amount of illegal web traffic which may be supported by these hosts. Finally, we inspect a random sample of GoDaddy-hosted IIS webservers to estimate the prevalence of this particular backdoor.