"Hot Video" pages: analysis of an hijacked site (Part I)

I was fortunate enough to find a hijacked site which was being used to host fake "Hot video" pages, which I've blogged about before. However, this time around, the site had directory listings enabled. As such, I could view all the files used in the attack, including source code of the php files which display the fake video page and redirect users to a malicious pages. This provided insight into how the attack actually works.

Here is the list of interesting files in the /images/ directory:
error_log - somebody tried to cover their tracks?
news.dot - template for the Hot video page
sitemap.php - displays a list of spam pages from other domains
sites.txt - list of spam pages from other domains
key.txt - a list of popular Google searches
news.txt - log of crawler visits
.news/ - folder containing thousands of spam pages
.cch/ - folder containing thousands of spam pages
g------.php (censored) and a few similar pages - execute external commands and upload files
.sys.php - execute any PHP code and upload file
page.php - displays the "Hot Video" page
news.php - display the "Hot Video" page
style.css - style sheet used on fake video page
load.swf - Flash file which redirects the user to the malicious page
player.gif - image of the fake Youtube video
Here are some information about some of the files.

error_log

This file shows (continue reading...)