Hetzner Online Hosts Critical Component of SEO Poisoning Campaign

Hetzner Online, a large German hosting provider, provides hosting for three  websites that are critical for a major SEO poisoning campaign. SEO poisoning involves getting web pages listed in search engines that when accessed attempt to infect the computer with malware.

This particular campaign involves two sets of hacked websites and the websites hosted by Hetzner Online. The first set of websites has been hacked to display the content from a file requested from getalllinks.info, dvc44ftgr.com, or uniteddomainsweb.com when a page from the hacked website is requested by a search engine. The files from getalllinks.info, dvc44ftgr.com, and uniteddomainsweb.com, hosted by Hetzner Online at the IP address 78.46.71.6, include links to pages on the second set of hacked websites. The content of those files can be seen at http://www.getalllinks.info/links/0.txt, http://www.dvc44ftgr.com/links/0.txt, or and http://www.uniteddomainsweb.com/links/0.txt. Search engines crawl those pages on the second set of hacked websites and they get included in search engines results.  When people access the pages through search engines they are redirected to fake anti-virus scanner that attempts to infect their computers with malware. Without the three domains hosted by Hetzner Online the pages on the second set of websites are never crawled and never get included in the search results where the could be accessed by users.

We contacted Hetzner Online about the issue a month ago. We receive a message acknowledging our message, but they have taken no action beyond that. Hetzner Online is not the first prominent host to have provided service for this SEO poisoning campaign. The Planet previously provided service for these domains and continued to host these domains for three months after we contacted them.