ThinkphpDD: An In-Depth Analysis of Blackhat SEO Techniques


Inbound Internet traffic is mainly determined by search engines. The website rankings in search engines directly affect the marketing effect of a website. This is the context in which Search Engine Optimization (SEO) services have emerged. SEO improves the natural ranking of a website in search engine results based on the ranking rules of different search engines. SEO services are divided into two types. The first type improves the website ranking by legal means such as site optimization, off-site optimization, and content construction. The second type is called blackhat SEO. Blackhat SEO quickly improves the website ranking by using hacker technologies such as spider pools, hidden links, website groups, and server hijacking.

Distribution of Controlled Websites

According to our long-term tracking, the hacker group controlled and made use of at least 12,700 websites from January to March 2019. Of the top-level domains of websites with hidden links, 72% of domains are “.com”. Many of the affected websites are of non-profit organizations and government institutions, but most are websites of local industry associations and national associations, such as the China XXX Development Institute or China XXX Development Alliance. Making use of the high credibility of industry association and government institution websites, blackhat SEO can quickly improve the ranking of the promoted websites. However, the promotion of pornography, gambling, and drug-related websites by blackhat SEO significantly affects the credibility of these compromised websites. Websites with hidden links have serious security vulnerabilities. If such vulnerabilities are not promptly fixed, major network security events may occur.

Analysis of Blackhat SEO Techniques

The hacker group inserts the following code in the header of the website homepage through the webshell backdoor. The code modifies the title, keywords, and description of the webpage, and judges whether the browser is a search engine such as Baidu. If the browser is not a search engine, the website title is modified to a legal expression to hide the hidden link.

Attack Vectors

The webshell backdoors used by the blackhat SEO group are usually provided by its upstream hacker organizations. Through tracking, the Alibaba Cloud Security Team has discovered the largest supplier of DaSheng. The hacker group has made frequent attacks since January 2019. It mainly makes use of the two Thinkphp5 remote code execution vulnerabilities exposed in 2018 and occasionally uses other web vulnerabilities. Based on the name of the webshell file and main intrusion methods used, we named the hacker group ThinkphpDD.

IP Address Infrastructure

Generally, the IP addresses used by attackers can be intercepted by IPS, firewalls, and other security devices based on malicious attack behavior. To bypass security defense systems and reap the highest profits, ThinkphpDD uses a huge number of IP addresses to attack networks. Since January 2019, ThinkphpDD has been using thousands of IP addresses to launch attacks every day. In addition, a few of these IP addresses are reused. More than 100,000 IP addresses have been used by ThinkphpDD. Of the IP addresses used by ThinkphpDD, 89% are from China. According to the proxy IP address threat intelligence of Alibaba Cloud, at least 86% of these IP addresses are anonymous proxy or Dial-up dynamic IP addresses. It is clear that ThinkphpDD has invested heavily in blackhat SEO operations.

Security Recommendations

1. You must update your services or fix website vulnerabilities in time to avoid intrusion.





Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: