In the earlier report, Sobrier had identified at least 75 domains hosting the malicious online stores, all looking slightly different but selling discounted software. The scammers used black hat search engine optimization techniques called SEO poisoning to bump up these stores on results pages for users looking for places to buy software. They also targeted multiple languages, so searching in French or German for places to buy Microsoft software would still present these fake stores.
When Sobrier first found these compromised URLs, many of the pages were running on alternate Web servers installed on non-standard ports, such as port 4577, 9765 and 5050. In this visit, Sobrier found that while some attackers were still using alternative ports, such as 8080, in some cases, the scammers have hacked the main Web server on port 80 and added the pages directly on the server.
For those universities, the problem has grown bigger, as this means the spammers have compromised the entire Web server at some point.
If someone were to hack your webserver, do you have a method to easily republish the entire site? If your server is compromised, do you prefer to replace the server with a new (physical or virtual) machine with a fresh or snap-shot OS installation?