How Many Movies Has Kevin Bacon Made? Viagra.
by Ryan Sproull
NOTE: Despite its title, this is the article about Kiwiblog. All will become clear.
SECOND NOTE: DPF’s technical dudes have fixed the problem. Google caches of Kiwiblog remain hilarious.
Remember that scene in Batman where he’s telling Vicky Vale which combinations of products form Joker’s Smilex?
Try this. If you Google “hot” or “iranian” or “girls” or “squirting”, you’ll find all kinds of pages. But only by Googling “hot iranian girls squirting”, with quotes, will you find… Kiwiblog.
Try it now, if you like. Google “hot iranian girls squirting”. Or, “free japanese schoolgirls girls dancing naked”. Also, “schoolgirl wet naked girls hot girl fucked”. And you’ll find Kiwiblog posts each time.
And, strangely, if you search for pages in New Zealand, you’ll find Kiwiblog with “how many movies has Kevin Bacon made?”
It seems that for a while – at least a few weeks – at the bottom of every Kiwiblog page, there is a series of common search keywords – viagra, cialis, naked japanese schoolgirls, etc.
You won’t see the keywords yourself, because they’re invisible to everyone but search-engine searchbots and people wearing magic goggles (setting their useragent to appear as a searchbot themselves). Each of the keywords are links to presumably hacked American college servers, such as the University of Washington and Michigan State University. The pages linked to are dead ends, filled with further strings of keywords, some of them relevant to the words in the link. The meta tags of each page are identical to the words in the link to the page. And the pages themselves are set to appear only to searchbots also.
The pages have no malicious script in them, and even if they did, they’re appearing only to searchbots, which don’t use Javascript. Nothing on the pages attempt to sell anything, and even if they did, they’re appearing only to searchbots, which don’t buy Viagra.
As far as I can tell, the sole purpose of this stuff at the moment is to generate what’s called Google juice – priority in Google’s searches. Google gives particular weight to links to academic websites, so that network of hacked .edu servers is handy. When dealing with MSN or Yahoo searchbots, the links are different – all to .com websites. Presumably this is because MSN and Yahoo don’t lend that extra weight to academic site links, so there’s no point in wasting those links on non-Google searchbots.
I wasn’t the first to notice – something like it was pointed out in this comment on The Standard, on May 24th. Subsequent comments suggest that DPF got rid of the code straight away. Now it’s back, and showing up only to searchbots. There’s also this comment by lprent, where he says that the same thing has happened to The Standard in the past.
So it’s happened to other people. The question is, why would someone hack a server only to leave code that does nothing but help the owner of the hacked website? There’s no malicious code, nowhere to put your credit-card number in order to buy fake Viagra, and the whole thing is invisible to everyone who visits the site – except for searchbots.
Well, the best bet is that this is just the first phase of a larger plan. Dun dun dunnnn. This network of hacked servers around the world is used to raise the Google rating of those hacked servers for the keywords the searchbots are finding. Kiwiblog and The Standard have probably been hit precisely because they’re the top two blogs in New Zealand. Over time, the searchbots are learning that these links are popping up everywhere, going to pages on academic websites that seem extremely relevant to the wording of the link (including meta tags). Eventually, anyone who searches for…
Hold on. I’ll just see what’s on Kiwiblog’s front page right now. Hmmm. Okay, yeah.
Eventually, anyone who searches for “reverse facesitting” will pop up with those pages on the first page of Google results.
At that point, the nasty folk can replace their benign visible-only-to-searchbots random words with some far more malicious code visible to everyone, exploiting whatever vulnerabilities are current for Internet Explorer or whatever. There are a lot of keywords in this stuff. 2000 of them. So that could end up being a lot of people.
The morals of the story are…
1. Use Firefox with NoScript running – and up-to-date virus/spyware software (I recommend Avast, which is free) – and this kind of thing won’t bother you.
2. DPF and others might want to start occasionally checking their sites by changing their user agent to appear as a searchbot (using User Agent Switcher for Firefox).
Note that if you’ve been reading Kiwiblog, you probably don’t have anything to worry about. The changes made to DPF’s site are currently fairly benign. At any point, of course, whoever gained access to make this change could slip in actually malicious code any time they like. I refer you again to point 1 – use Firefox with NoScript.
Maybe I should have a look through high-ranked WP blogs. Sounds like they might have themselves a problem. Glad you’re still alive, Bronwyn.
This happened to my blog last year. But rather than benefit me with increased traffic, my site ended up being un-listed by Google so my hits dramatically decreased to a trickle – rather scary in many ways.
I eventually sorted it out. I believe the problem was a hole in an older version of WP, so the first thing I did was upgrade.
Stupid intarwebz.