Follow the bouncing WHOIS - Part II
Jul 15th, 2008 by Micheal
In my previous post in this series, I started on outlining connecting several pay-for and for-free webhosts and showing that they are actually the same company. In the second part, I will continue that, and show how they are trying to trick Google and other search engines.
So here we go. As I explained, Bluehost/Fastdomain/Hostmonster/0catch/etc. are all the same company. Here’s a few tricks they employ:
http://software-test.0catch.com/ (was in one of the links on one of the many creepy sites, but still is 0catch.com/Bluehost).
Source code check!
<a href="http://www.0catch.com" target="_blank">free web hosting</a> |
<a href="http://www.0catch.com" target="_blank">free hosting</a> |
<a href="http://www.0catch.com" target="_blank">Web Hosting</a> |
<a href="http://www.discountlaptops.com">laptop computers</a> |
<a href="http://www.designcart.com">shopping cart</a> |
<a href="http://www.webmastervote.org">Election 2008</a> |
<a href="http://www.bluehost.com">php hosting</a><br />
<a href="http://www.bluehost.com" target="_blank" bluehost="1">affordable web hosting</a>
<a href="http://www.simplepetcare.com" bluehost="1">Pets</a>
<a href="http://www.bluehost.com" bluehost="1">web page hosting</a>
<a href="http://www.hostmonster.com" bluehost="1">web hosting</a>
<a href="http://www.bluehost.com" bluehost="1">website hosting</a>
<a href="http://www.bluehost.com" bluehost="1">web hosting service</a>
<a href="http://www.hostmonster.com" bluehost="1">web hosting</a>
<a href="http://www.hostcritique.com/" target="_blank" bluehost="1">web host</a>
Hmmm. <a href="http://www.hostcritique.com/" target="_blank" bluehost="1">web host</a> What does that bluehost=”1″ do? It isn’t standard HTML. Glad you asked!
var linkEls = document.getElementsByTagName("A");
for (var i = 0; i < linkEls.length; i++) {
if (linkEls[i].getAttribute(”bluehost”)) {
linkEls[i].style.visibility = “hidden”;
}
}
This JavaScript hides anything with the attribute bluehost from a visitor, but search engines will still see it. I call it link pumping.
But there’s more.
We know that 100freemb.com/0catch.com/etc. are Bluehost.
I present to you, more Google tricks!
Not only is Bluehost pushing themselves on Google (see the above), but pushing others(?, just wait, it’ll make sense in a minute) on Google. Sneaky.
http://linear-motion.100freemb.com/
But here we have some new code. Hmmm.
function decode(original){
var result="";
arrayofstring=original.split(',');
for (var i=0; i
result=result+String.fromCharCode(arrayofstring[i]-9);
}
return result;
}
// Broke in to multiple lines for the sake of scrolling
// Micheal
var display="19,69,111,123,106,118,110,124,110,125,41,123,120,128,124,70,43,51,53,57,43,41,111,
123,106,118,110,107,120,123,109,110,123,70,43,87,88,43,41,107,120,123,109,110,123,70,43,57,
43,41,111,123,106,118,110,124,121,106,108,114,119,112,70,43,57,43,41,120,119,85,120,106,109,
70,43,43,41,120,119,94,119,117,120,106,109,70,43,43,71,19,69,111,123,106,118,110,41,119,106,
118,110,70,43,125,120,121,79,123,106,118,110,43,41,124,108,123,120,117,117,114,119,112,70,43,
106,126,125,120,43,41,124,123,108,70,43,113,125,125,121,67,56,56,128,128,128,55,124,116,106,
118,106,123,55,108,120,118,56,43,71,19,69,56,111,123,106,118,110,124,110,125,71,19";
document.write(decode(display));
What does this decode to?
<frameset rows="*,0" frameborder="NO" border="0" framespacing="0" onLoad="" onUnload="">
<frame name="topFrame" scrolling="auto" src="http://www.skamar.com/">
</frameset>
Wait, Skamar? Let’s see who they are. Skamar Machine Co., Linear Motion Systems and Components - Cleveland, Ohio.
Ohio? Ah, but here’s the fun part.
who.is: http://www.who.is/whois-com/ip-address/skamar.com/ They are tied to Bluehost services. Again. So did Bluehost promise to push some traffic their way for hosting with them? Possibly.
There is also a bluefishhosting.com. Doing a whois, we see a familiar name pop up.
Sam Parkinson. Hmmm. Where’d we see that? Let’s check something.
0catch.com!
Let’s review. Bluehost has now been shown to participate in questionable search engine techniques to not only raise traffic for their assets, but also customers. The next installment will show a relationship between the now questionable Bluehost and companies we thought we could trust.
It is very interesting what you have found as far as Bluehost using JS to increase traffic.
It really make one wonder what other tactics they are using that we know nothing about?
On a side note suspect JS has been found in the mattheaton.com blog several times. (Matt Heaton is the CEO / President of Bluehost / Hostmonster / Fastdomain) A few examples have been found by Kakkoi, Kaizeku, and myself.
The question I have now with mattheaton.com and the JS found in his blog, “Was the site hacked or was the JS placed there intentionally for some reason or another?
That’s very interesting. I think that the JS was put there on purpose, given the things I and others have found about Bluehost in general.