I published the first part of this article in my online journal on Dec. 12th, 2007, with many updates after that. It details how I discovered a massive hacking attack on a major Amrican ISP, and from there how I stumbled across a network of hacked Web sites, redirectors, and malware servers being used to distribute computer trojans and malware, typically in the guise of movie player software or fake antivirus software.

The original journal entry, which has generated quite a large number of responses, is here. Followups are here and here. The journal entries contain much more technical detail about the attacks; this is the executive summary.

I recently decided, like many folks do, to Google my name. I do this periodically, because it's always fun to see how many sites are linking to me.

And in the process, I've discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I've ever heard of.

A little background is in order. If you've used Google for any length of time, you probably know that when you Google popular keywords you'll often run into "spam pages." These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like "tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock" and have excerpts that look like "she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod". These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer's site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who's unwary enough to click on them.

Normally, I get about nine pages of results when I search for my name on Google; but this time, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info "I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark's, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.

"Oh, well, this is interesting," thought I, "polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now."

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to. And that's when things started to get weird.

What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP--the largest single Web site security breach I've heard of.

The first Web site I found that contained one of these spam pages is on page 19 of the Google results for the search term "franklin veaux" (with quotes). It was on a site called patkolstad.org; the URL of the spammer redirect page is


NOTE: The URLs given here and elsewhere in this article no longer direct to viruses; they have since been cleaned up. Other URLs have taken their place, however, and the network described here is still operational.

The Web site at patkolstad.org belonged to a man named Pat Kolstad, who is (or was) one of the city councilmen in Santa Clara, CA. Not, in other words, a likely spammer interested in directing people to virus droppers in Eastern Europe. Clearly, his Web server has been hacked, and the redirectors have been placed on his server without his knowledge. I did a whois lookup on his domain name to see who his Web host is. He is hosted by iPower Web, a cut-rate Web hosting company that advertises "Hosting over 700,000 Web sites!"

The next Web site I found that contains one of these spam pages was a place called u4info.net. It's a now-defunct Chinese-language forum of some sort. The spam page was at

http://u4info.net/study/templates/subSilver/images/ lang_english/nucrz/har/ad/5/polyamory.html

It looks like what happened here is pretty straightforward; the forum software has a security vulnerability, and the hackers used it to drop spam redirection pages into the forum template directory, right? Anyway, I did a whois on this site, and found that it is also hosted by iPower Web. Interesting coincidence, I thought.

Next on the list is axlemike.com. It's a Web site for a business in Mesa, Arizona that recycles and rebuilds axles for trucks. The hacker apparently penetrated this site's security and placed a redirector at


that goes to the same virus dropper. I looked up this site's hosting information; it's hosted at iPower Web.

Okay, two is coincidence; three is starting to look like a trend.

I started skipping around, looking up the whois information for Web sites that contained obvious spam pages in the search.

indielegaldocs.com? Hosted by ipowerweb. theannuityvault.com? Hosted by ipowerweb. cntmicrosystems.com? Hosted by ipowerweb. sixgunband.com? Hosted by ipowerweb.

Every one of these Web sites, and hundreds and hundreds more, has been hacked. In every case, the hacker has placed pages filled with keywords related to polyamory, that redirect to virus droppers. And every one of them is hosted by the same Web hosting firm: iPower Web.

I kept going. maggerific.com. footloosecanada.com. osynergyc.com. culpeperchristianschool.com. peoplethought.com. ansacnet.com. All hosted by ipowerweb. In fact, I kept this up for over an hour, checking hundreds of domains that had been hacked and had these redirector pages installed on them. ALL of them reside on servers owned by ipowerweb.com.

In other words, it appears that someone has figured out how to penetrate Web sites hosted by this hosting company at will, and has all at once placed Web pages on all of them which intercept popular Google keyword searches and redirect them to virus droppers.

iPower boasts that it hosts over 700,000 Web sites. Think about that for a minute.

I dropped an email to the abuse team at ipowerweb.com, letting them know that I had found a number of Web sites they were hosting had been compromised, and contained Web pages that redirected visitors to sites that tried to install viruses on their systems. I gave them a list of some of the URLs of the redirectors, and told them there were hundreds, if not thousands. more, and that they seemed to have a massive security breach on a huge scale.

The next day, I got an email back that said "I have checked the web site (domain name) and noticed that there is no virus redirector files located at (redirector URL) . Please get back to us with link where exactly no virus redirector files are located so that we can take necessary action against this web site."

Well, hmm, that's odd, I thought, they were there yesterday.

I clicked on the links in the email that I'd sent, and sure enough, all of them showed 404: File Not Found errors. "Now that's damn odd," I thought.

I went back and repeated the Google search. The same comporomised servers came up. I clicked on the links in Google and found myself redirected to the virus droppers.

I clicked on the links in the email and found myself staring at a 404 File Not Found error.

I clicked on the links in Google and found myself at a virus dropper.

A light bulb went on. "Aha!" I thought. "I bet these redirectors hide themselves! If you visit one of these pages from Google, it'll redirect you; but if not, it won't!"

A little more background is necessary for anyone who does not understand how the Web works. If you are on a Web site, and you click on a link to another site, your browser will tell the site you clicked on where you came from. For example, if you are reading my LiveJournal, and you click on a link to my SymToys site, your browser will tell my Symtoys site "I came from tacit.livejournal.com".

This is called a "referer." Your browser will tell any link you clicked on who the referer was--that is, where you clicked on the link.

My theory was that if the referer to one of these spam pages was set to anything but "google.com" the page would redirect to a 404 error; otherwise, it would redirect to the virus dropper.

To test this, I used a program called wget. This is a nifty little program that's sometimes used to troubleshoot malfunctioning Web servers. If you type "wget www.symtoys.com" on a command line, it will show you step by step every bit of communication between your computer and the symtoys.com server; that is, you'll be able to see the exact commands that a Web browser would send to www.symtoys.com, and the exact responses the server would send back.

You can tell wget to pretend to be just about any browser, and you can tell wget to pretend to have any referer you want. I picked one of the URLs of one of these redirectors, namely "http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html"

Then I typed the command "wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html" This is what I saw:

wget http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html

--16:21:32-- http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html'
Resolving mdhardyinc.com... done.
Connecting to mdhardyinc.com[]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /404 [following]
--16:21:34-- http://mdhardyinc.com/404
=> `404'
Connecting to mdhardyinc.com[]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
16:21:35 ERROR 404: Not Found.

It got a "file not found error. Then I used the same command, only this time I instructed wget to pretend that it had come from a link on Google:

wget --referer=http://www.google.com http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html

--16:19:40-- http://mdhardyinc.com/rclrn/har/ad/5/polyamory.html
=> `polyamory.html'
Resolving mdhardyinc.com... done.
Connecting to mdhardyinc.com[]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://traffloader.info/go.php?s=mdhardyinc.com&ver=6 [following]
--16:19:41-- http://traffloader.info/go.php?s=mdhardyinc.com&ver=6
=> `go.php?s=mdhardyinc.com&ver=6'
Resolving traffloader.info... done.
Connecting to traffloader.info[]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--16:19:43-- http://www.clipsfestival.com/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000'
Resolving www.clipsfestival.com... done.
Connecting to www.clipsfestival.com[]:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000 [following]
--16:19:45-- http://powerof3x.com/m2/movie1.php?id=4161&n=teen&bgcolor=000000
=> `movie1.php?id=4161&n=teen&bgcolor=000000'
Resolving powerof3x.com... done.
Connecting to powerof3x.com[]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=
http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg [following]
--16:19:47-- http://www.3xpowered.com/m4/index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=
=> `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=
Resolving www.3xpowered.com... done.
Connecting to www.3xpowered.com[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 32,811 5.17K/s

16:20:03 (5.17 KB/s) - `index.php?id=4161&n=&a=SatyrIconIc&v=928400.66666667&preview=
http%3A%2F%2Fwww.3xfestival.com%2Fst%2Fthumbs%2F010%2F8859211374.jpg' saved [32811]

Look at that!

Here is what is happening:

You go to one of these spam pages. If you came from anywhere but Google, you see a 404 file not found error. However, if you came from Google:

It sends you off to a Web site called "traffloader.info". Traffloader.info is a Web site hosted in the country of Moldova, a tiny Eastern European country that used to be part of the Soviet Union.

The traffloader.info Web site then picks one of three other Web sites at random, and redirects to that Web site. In this case, it randomly picked www.clipsfestival.com. Clipsfestival.com is a Web site in the Czech Republic, also in Eastern Europe.

Clipsfestival.com redirects to powerof3x.com. The server powerof3x.com is registered in the Ukraine, in Eastern Europe. It redirects to www.3xpowered.com, also registered in the Ukraine.

3xpowered.com is the virus dropper. When you go here, your computer will attempt to download an .exe file, which will, if downloaded and executed, infect your computer.

So, to recap: A huge number of Web sites, all hosted by a company called iPower Web, have recently been hacked all at once. The hacked Web sites have all had new files placed on them which contain thousands of common Google keywords, including my name. When someone visits one of these pages from Google, he gets passed from the hacked Web site through a chain of Web sites in Eastern Europe, and finally ends up on a server that attempts to install a virus.

Now I knew how the redirectors worked, how they hid themselves, and how they passed off requests through traffic handler Web sites to Web sites that try to download malicious software. What I didn't know was how large the virus distribution network was.