Sucuri.net, a security scanning company recently discovered a new exploit that adds a unique module to many Apache web servers, and when compromised, return spam links.
Here’s how it work?
The hackers use an SSH or CMS exploit to gain root access and then install a small module that watches the web server’s traffic over time. When you visit the site normally you’ll see absolutely nothing amiss, even in the source code.
For e.g., the University of the West’s website returns a regular web page and shows no problems in the source. However, when you do a web search for “uwest.edu and viagra,” you get the infected pages. This indelibly links the potentially popular and trustworthy uwest.edu with the spammer’s URLs.
The groups or individual hackers are fairly diligent. David Dede of Sucuri.net said “I saw some of their scripts and they’ve a list of 20+ vulnerabilities that they try on every site. Once they’re inside, they create shells, backdoors and things like that.”