Compromised Servers Used for Referer Spam Linking

I started seeing a large number of attempted REFERER spam links in my logs over the past few days of the form <valid website>/images/online/<spamvertised product>.  If you take off the “/images/online…” part and just look at the root, they all appear to be valid, normal, websites (one was even for a Minnesota state representative).  The interesting thing is that if you look in “/images” you’ll find something called “99.php”.  That file is a spammer/cracker console.  It appears that all of these servers have been pwn3d by a Russian hacking group and this PHP script is a tool they’re using called “c99drink.” 

So far, out of the random sample of 7 or 8 links that I checked, the output of 99.php shows that each system belongs to iPowerWeb.  It would appear that they have some sort of systemic problem that allowed the crackers to gain access to the system and install their toolkit.

Here’s what c99drink looks like on a typically infected server:

This appears to be a relatively new toolkit, as I could find no hits for it on Google.

Comments are closed.