Exploit Blackhat SEO (type 1703)

[Richard Head]

When I visit the following site and click on any of the options/links AVG
reports a Web Shield Alert caused by Exploit Blackhat SEO (type 1703).
Does anyone else get this response? I have searched on Google and not really
come up with a clear answer.

http://www.kttchurch.org.uk/

 

[David H. Lipman]

From: "Ant" <[email protected]>


| No need to search google, just look at the raw html of the pages.
| There's a mass of hidden links at the bottom of each of them.
| Whoever's running that server should fix the vulnerability that
| enabled all that crap to be injected. You might want to tell them
| about it.

| Server: Apache/2.0.63 (FreeBSD) mod_python/3.3.1 Python/2.5.1
| PHP/5.2.6 with Suhosin-Patch mod_fastcgi/2.4.6 mod_ssl/2.0.63
| OpenSSL/0.9.7e-p1 DAV/2 mod_perl/2.0.4 Perl/v5.8.8
| X-Powered-By: PHP/5.2.6



Thanx Ant.

A WGET download of the INDEX.HTM submitted to VT shows nothing as well as JSUnpack and
Wepawet and I don't see malwicious code. Just the appnded URLs as you noted.

So is this AVG and its webcrawler component going out to the web site and saying the web
site is Exploitable for the 'Blackhat Search Engine Optimization (SEO)' ?

 

[Richard Head]

:
No need to search google, just look at the raw html of the pages.
There's a mass of hidden links at the bottom of each of them.
Whoever's running that server should fix the vulnerability that
enabled all that crap to be injected. You might want to tell them
about it.

Thanks for that. Are you saying that the site has been hacked? I have tried
clicking on Contacts to notify them of the problem but of course all I get
is the AVG Alert warning.

 

[FromTheRafters]

Thanks for that. Are you saying that the site has been hacked? I have
tried clicking on Contacts to notify them of the problem but of course
all I get is the AVG Alert warning.

Their "contacts" php page is also affected.
hxxp://www.kttchurch.org.uk/pages/home/contact-us.php