zurnal24 Forumzurnal24.info
Forum / General Talk47

Ukrainians are hacking and illegally redirecting THOUSANDS of sites

writers2beware 41 | 2,026 ☆☆☆☆  
Feb 04, 2014 | #1
The filthy, disgusting, Ukrainian criminals are once again hacking THOUSANDS of innocent people's Web sites in order to insert malicious redirection code. The victims include businesses, universities, musicians, organizations, etc. Following is the link to search results for merely one keyword. Keep in mind that they are doing the same thing with thousands--if not millions--of different keywords.


Search results: google.com/search?nord=1&site=webhp&q=termpaperlab

You will see that many of the listings redirect to evolutionwriters.com, paperduenow.com, and other sites owned by the same, dirty, corrupt, lawless outfit in Ukraine.


Can you help to pinpoint the vulnerability that the pigs are exploiting? We can then post the solution here. We can also the appropriate developers about providing patches to their clients.
Donald 7 | 69   Observer
Feb 04, 2014 | #2
Thanks - looking into it and reporting to Google.

Looks to be redirect by meta refresh. paper-writing.php was maliciously uploaded to the server (I don't know how) and it redirect referrers like 'paper_id' / 'essay_id' to the attacker's own websites. They also use some kind of cloaking to insert random keywords (the content can be see on Google cache pages).

This article gives more detail - it includes examples from hccs.edu - aw-snap.info/articles/spam-hacks.php
OP writers2beware 41 | 2,026 ☆☆☆☆  
Feb 04, 2014 | #3
Well, the redirects are definitely referrer-based. Redirection occurs only if you click on the link in Google's search results. If you attempt to go directly to the page (for example, automaticwasher.org/FUN/writing-help.php?essay_id=term-paper- lab) in your browser's address bar, the redirect does not take place. Instead, you get a 404 or are redirected to the site owner's default page. So, in short, the scumbags are injecting malicious code that redirects victims' pages only when those pages are clicked from within Google's search results.

UPDATE: The redirects take place from within Bing's search results, as well. However, a few tests indicate that the redirects are NOT currently taking place from within Yahoo's search results.
Donald 7 | 69   Observer
Feb 04, 2014 | #4
I recall I had ed hccs.edu about it a couple of weeks ago, but received no reply. Do they care? One possibility is that their own webmaster is doing a dirty job. I would not be surprised after having seen so many 'legit' sites that had malicious links published without the owners knowledge or consent.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Feb 05, 2014 | #5
One possibility is that their own webmaster is doing a dirty job.

That's definitely not what's happening. The scale is far too vast for that to be the case. We're talking hundreds of thousands of exploited sites. The criminals are sending out a bot to scour the Internet in search of sites that contain the particular vulnerabilities that they wish to exploit. The bots either compile a list of the vulnerable sites so that the scum can exploit them later or the bot exploits the vulnerabilities of each site on-the-spot. It just depends on the capabilities of their bot.
MeoKhan    7 | 1,393 ☆☆   Freelance Writer
Feb 05, 2014 | #6
Do we see a global-level distrust in essay writing websites? Because if the bot is injecting malicious redirecting links to thousands now, there is no doubt the number will steadily increase in the near future.
Donald 7 | 69   Observer
Feb 05, 2014 | #7
Well, Ukraine is hacker's haven: cnbc.com/id/49926887. I hope it joins EU so that the illegal activities can be stopped.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Feb 18, 2014 | #8
I wonder if Yuri and Alexey are OK.

foxnews.com/world/2014/02/18/protesters-clash-with-pol ice-in-ukraine-capital-as-opposition-say-govt-stalling/
Donald 7 | 69   Observer
Feb 18, 2014 | #9
I wonder if Yuri and Alexey are OK.

If they have something to do with illegal web hacking or negative SEO activities I wish Ukraine to join the EU. It will be easier to prosecute and put them in jail.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Feb 18, 2014 | #10
. . . I wish Ukraine to join the EU. It will be easier to prosecute and put them in jail

faggotbruce - | 32   Observer
Feb 19, 2014 | #11
You guys are such drama llamas.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Feb 22, 2014 | #12

Ukrainian President Ousted

You're not going to be able to hide behind the law for much longer, Yuri, Alexey, AND Eugene. Once Ukraine joins the EU, you're going to be held accountable for ALL of your past and current illegalities. Your hacking, in particular, will carry severe monetary AND criminal penalties.
Donald 7 | 69   Observer
Feb 22, 2014 | #13
Maybe they will move to Kenya :lol:
Para jugar - | 1   Freelance Writer
Feb 23, 2014 | #14
Really they have created many problems for many different audiences. I really do not understand why anymore.
Major 39 | 1,367 ☆☆☆☆  
Mar 31, 2014 | #15
More evidence that the FBI may find helpful.

Hacked web page: ibm.com/developerworks/community/forums/html/topic?id=81fb2b56-bc 1f-41d9-9917-73ad666b19e4

IBM web page hacked by RushEssay
OP writers2beware 41 | 2,026 ☆☆☆☆  
Apr 02, 2014 | #16
Did someone report the hack to IBM? I ask because the hacked and injected page now redirects to a developer sign-in page.
Donald 7 | 69   Observer
Apr 02, 2014 | #17
now redirects to a developer sign-in page.

It's still there - when you copy/paste the link you need to remove the space from here: bc[space]1f

bestessaytown.com [DND*]
bestessay.com [DND*]

For anyone who's been wondering (me included) why they created so many seemingly nonsense domains.. I can confirm their main website (bestessays.com [DND*]) is banned from Google for spamming. They now try to redirect visitors to the (still clean) domains. It is still surprising they are ranking high for the new domains (without much history or reputation).
formerworkerofyuri - | 4   Observer
Apr 09, 2014 | #18
You wanna know where these people are located? If I'll give their details what will I have in return? :p

Kenya? Never been there! Some writers though. :D Wanna know their exact address?
Donald 7 | 69   Observer
Apr 09, 2014 | #19
You wanna know where these people are located?

formerworkerofyuri - | 4   Observer
Apr 09, 2014 | #20
what is your email address? it would be better if we'll talk there
Donald 7 | 69   Observer
Apr 27, 2014 | #21

The main company behind the hacks of the US government, university, and competitor websites and other online criminal activities allegedly is: ASL (English name) / ESL (Ukrainian name). They are based in Kiev, Ukraine.

They own about 21,000 of domains that they use to spam their own essay services, hijack private computers, and launch negative SEO attacks against their competition. They are active in different markets (not only academic paper writing). A list containing a few thousands of domains they have used so far to launch negative SEO attacks has been forwarded to interested parties to include them in their disavow.txt file.

soyquixote.com or widestep.com - these are one of the domains they own (having this info it's possible to track all of their domains).

Their fraudulent activities have been going on for several years now. Here is what another victim discovered about them back in 2010:

Major 39 | 1,367 ☆☆☆☆  
Apr 27, 2014 | #22
You are onto something, even though the company you mentioned appears to be a domain registrar. You should look into the other company mentioned on the linked page.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Apr 27, 2014 | #23
A list containing a few thousands of domains

I'd love to see that list.
Major 39 | 1,367 ☆☆☆☆  
Apr 28, 2014 | #24
Nothing interesting; just thousands of spammy domains (.ru, .info, .com, .net mostly), with the word "domain:" in front of them.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Apr 30, 2014 | #25
Still, I'd like to see it. If someone can email it to me, I'd appreciate it.
queen sheba 74 | 799 ☆☆   Observer
Apr 30, 2014 | #26
i have them. send me your email but keep in mind that i normally charge for such information
Donald 7 | 69   Observer
May 02, 2014 | #27
The hornet's spam nest: adopt-us-kids.com

Writing spam nest
JTP - | 4   Observer
Jun 05, 2015 | #28
Thank you for writing about this. It really helped me understand what was happening with my site:


My website was one of those hacked, resulting in more than 10 pages of my search engine results being devoted to these crooks. And I can see from my Google Webmaster Tools that about 60 other websites are now linked to non-existent writing-related pages on my site...so they were probably all hacked as well.

Thank you for your WordPress security plugin recommendations, as well. Clearly, the security I was using was not up to the task.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Jun 06, 2015 | #29
Regarding the plugins, you're welcome. Please spread the word in any way that you can.
JTP - | 4   Observer
Jun 06, 2015 | #30
About the only thing I have to add is that webmasters should keep an eye on Google Webmaster Tools to watch for problems:

Search Traffic > Links To Your Site

If other sites begin linking to pages which shouldn't exist, go to the Google Search Engine and type:


(Do not insert a space after the colon...and if your site has a different web suffix, type that instead!)

This will display the links from your site that Google has indexed. If some of them are unusual, click on the Cached version (the Down Arrow to the right of the link URL).

If you've been hacked, you'll notice search engine optimized word salad (random words strung together with a few key writing-related phrases thrown in). You'll also see about 15-20 links to to other sites, and a time-stamp of when the snapshot was taken. The latter gives you some idea of when your site was hacked.

In my case, my site was linking to about 1,500 other sites (15 links per hacked page * 10 hacked pages per search engine results page * 10 search engine results pages).
Major 39 | 1,367 ☆☆☆☆  
Jun 06, 2015 | #31
In general, what websites did they link to - were they related to writing services too?
OP writers2beware 41 | 2,026 ☆☆☆☆  
Jun 06, 2015 | #32
JTP, it would also be helpful to list all of the essay/paper sites that were in any way associated with the attack. That way, more victims will come across this thread.
JTP - | 4   Observer
Jun 06, 2015 | #33

No, the hackers were pretty opportunistic and there doesn't seem to be any pattern - running the gamut from photography sites, a gun club, a women's roller derby team and even someone running for public office (for school board trustee).
OP writers2beware 41 | 2,026 ☆☆☆☆  
Jun 06, 2015 | #34
How, then, did you come to post in this forum? There must have been at least ONE essay/paper site involved, right?
JTP - | 4   Observer
Jun 06, 2015 | #35

Google Webmaster Tools reveals 70 (not 60) inbound links from other sites to the following non-existent pages on my website:


The 70 sites doing this are:


Disclaimer: Some of these sites may have already cleaned up their malware but are still listed on my Webmaster Tools by Google. (In fact, the list was a little longer earlier this week, and it appears 5 sites have dropped off of it).

As for the other direction (outbound links from my site to non-existent pages on other sites), I think I don't really have time to go through the Cached pages on Google and find all 1,500 of 'em.

"How, then, did you come to post in this forum? There must have been at least ONE essay/paper site involved, right?"

I misunderstood Major's question.

What I meant was that the root URLs of the hacked sites seem pretty random. (In my post above, there's a cat-deworming site and a site about puppets. No relation between those two that I can see).

But every single one of the 70 sites linked to a non-existent page on my site involving essays/papers. (Non-existent in the sense that I never created them, but the hacking programs DID temporarily create them on the fly for Google's spiders to crawl).

Once indexed by Google, clicking on one of those essay/paper Search Engine Results ultimately redirects the user to the paperhelp.org site.

Sorry for the confusion.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Jun 19, 2015 | #36
Thank you for the clarification. The more details, the better.

The are at it again. The majority of the hacks appear to be related to the following folder in Wordpress:

They are also injecting malicious redirection code into the "functions.php" file in all themes contained in each site's Wordpress directory.
Major 39 | 1,367 ☆☆☆☆  
Jun 20, 2015 | #37
Literally thousands of websites have been hacked / redirected this way. Btw. Wordpress is a very bloated and unstable software (unless you don't install any addons) prone to such attacks.
OP writers2beware 41 | 2,026 ☆☆☆☆  
Jun 22, 2015 | #38
Somebody (or many bodies) needs to take the time to gather evidence and post a detailed report in the . "John Mu" and other high-profile members of Google's anti-SPAM team are very active there. They give extremely quick attention to any evidence-backed reports regarding large-scale spamming and/or hacking rings. The Ukrainian crooks think that they are safe, legally, because they are not in the US. However, legality is irrelevant if Google blocks all of their domains that get reported for hacking.
Mario_V - | 4   Company Representative
Aug 25, 2015 | #39
This country just does not get any break, does it now?
OP writers2beware 41 | 2,026 ☆☆☆☆  
Mar 31, 2017 | #40
I have an update. The Ukrainian criminals are engaging in illegal "parasite hosting," which is described in the following article:


The article describes how to identify the criminal attackers, fix your hacked site, and protect your site(s) from future attacks.


1. If your site (or part of your site) is running Wordpress, be sure to update to the latest version! That is critical! Old versions of Wordpress have severe vulnerabilities that hackers exploit.

2. You can also make your site hack-proof simply by installing one of the following FREE plug-ins:


Each one is rated very highly and gets updated regularly in order to handle all new threats that emerge.

Forum / General Talk / Ukrainians are hacking and illegally redirecting THOUSANDS of sites

Need Help? ➰
Legitimate Academic Freelance Writers!
Legitimate Academic Research Services!

- (coupon: GW10)
- (coupon: Best7)
Verify a freelance writer profile:
Check for a suspicious Twitter profile:

SIGN UP for an zurnal24 account!