waiters 1 | 1 Observer
Feb 23, 2012 | #1
there are reports all over the place about ordercustompaper.com being a scam, so i wont get into that right now. i however wanted to bring up the fact that ordercustompaper.com and customwritings.com generates links (for high google serps) by hacking web servers using XSS and other means, and posting their links in the footer of the hacked domain names.
According to another post on this website, It's ran by the same people who run the following:
academicexperts.us
advancedwriters.com
affordablepapers.com
bestessaytopics.com
blogscribes.com
buycollegepaper.com
buyessay.org
buyresearchpaper.net
buytermpaper.net
custom-writings.com
customwritings.com
customwritingservice.com
essay-answers.com
essayforyou.com
essaylib.com
essaymoney.com
essaymonitoring.com
essaysexperts.com[DND*]
gpalabs.com
gradelancer.com
historypapers.org
lawpapers.net
livepaperhelp.com
mastersthesiswriting.com
midterm.us
ordercustompaper.com
orderessay.net
plagiarismdetect.com
primewriters.com
revisionlabs.com
thepensters.com
More information on bot it uses to control the hacked domains:
For its spam , it connects to and speaks with "db.linkfeed.ru" , got it from linkfeed.php
part of the file:
"class LinkfeedClient {
var $lc_version = '0.3.8';
var $lc_verbose = false;
var $lc_charset = 'DEFAULT';
var $lc_use_ssl = false;
var $lc_server = 'db.linkfeed.ru';
var $lc_cache_lifetime = 3600;
var $lc_cache_reloadtime = 300;
var $lc_links_db_file = '';
var $lc_links = array();
var $lc_links_page = array();
var $lc_links_delimiter = '';
var $lc_error = '';
var $lc_host = '';
var $lc_request_uri = '';
var $lc_fetch_remote_type = '';
var $lc_socket_timeout = 6;
var $lc_force_show_code = false;
var $lc_multi_site = false;
var $lc_is_static = false;
"
it then stores the spam links in a file called "linkfeed.links.db" (i think)
these files are going to be stored in /images/0146d2f3sa38a380d2cf5441o4b14f0ffc320d or something random like that.
Then your index file will have like 10 lines starting with "<? $GLOBALS['_581978928_']=Array(base64_decode('' .'Z' .'GVm' .'aW5' .'l'))" and a lot of base64 stuff you need to decode. It contains the linkfeed username, the document root directory, location of the linkfeed.php file, and a few other things..
more info on the remote shell later
Also im sorry about this turning technical, but i figured this was the best place to let the public know that ordercustompaper.com hacks domain names for traffic
More information on the backdoor that ordercustompaper.com and their partner sites install:
Parts of the backdoor script (this script is not very smart and thus it wont work on 99% of the hosting accounts out there.. but fact remains is ordercustompaper.com tried to install it)
(this is just parts of a few files)
#####################################
# ShElL V2 #
# mantap jaya #
# jatimcom #
#####################################
$sh_id = "SkFUSU0gQ09NTVVOSVRZ";
$sh_name = base64_decode($sh_id);
#$sh_mainurl = "jatimcom .uni.cc";
They also installed adminer.org (simple database management script) onto the server.
According to another post on this website, It's ran by the same people who run the following:
academicexperts.usadvancedwriters.com
affordablepapers.com
bestessaytopics.com
blogscribes.com
buycollegepaper.com
buyessay.org
buyresearchpaper.net
buytermpaper.net
custom-writings.com
customwritings.com
customwritingservice.com
essay-answers.com
essayforyou.com
essaylib.com
essaymoney.com
essaymonitoring.com
essaysexperts.com[DND*]
gpalabs.com
gradelancer.com
historypapers.org
lawpapers.net
livepaperhelp.com
mastersthesiswriting.com
midterm.us
ordercustompaper.com
orderessay.net
plagiarismdetect.com
primewriters.com
revisionlabs.com
thepensters.com
More information on bot it uses to control the hacked domains:
For its spam , it connects to and speaks with "db.linkfeed.ru" , got it from linkfeed.php
part of the file:
"class LinkfeedClient {
var $lc_version = '0.3.8';
var $lc_verbose = false;
var $lc_charset = 'DEFAULT';
var $lc_use_ssl = false;
var $lc_server = 'db.linkfeed.ru';
var $lc_cache_lifetime = 3600;
var $lc_cache_reloadtime = 300;
var $lc_links_db_file = '';
var $lc_links = array();
var $lc_links_page = array();
var $lc_links_delimiter = '';
var $lc_error = '';
var $lc_host = '';
var $lc_request_uri = '';
var $lc_fetch_remote_type = '';
var $lc_socket_timeout = 6;
var $lc_force_show_code = false;
var $lc_multi_site = false;
var $lc_is_static = false;
"
it then stores the spam links in a file called "linkfeed.links.db" (i think)
these files are going to be stored in /images/0146d2f3sa38a380d2cf5441o4b14f0ffc320d or something random like that.
Then your index file will have like 10 lines starting with "<? $GLOBALS['_581978928_']=Array(base64_decode('' .'Z' .'GVm' .'aW5' .'l'))" and a lot of base64 stuff you need to decode. It contains the linkfeed username, the document root directory, location of the linkfeed.php file, and a few other things..
more info on the remote shell later
Also im sorry about this turning technical, but i figured this was the best place to let the public know that ordercustompaper.com hacks domain names for traffic
More information on the backdoor that ordercustompaper.com and their partner sites install:
Parts of the backdoor script (this script is not very smart and thus it wont work on 99% of the hosting accounts out there.. but fact remains is ordercustompaper.com tried to install it)
(this is just parts of a few files)
#####################################
# ShElL V2 #
# mantap jaya #
# jatimcom #
#####################################
$sh_id = "SkFUSU0gQ09NTVVOSVRZ";
$sh_name = base64_decode($sh_id);
#$sh_mainurl = "jatimcom .uni.cc";
They also installed adminer.org (simple database management script) onto the server.