Lately we have been talking a lot about WordPress sites getting hacked with SEO Spam:
Some big sites got infected and the common complain I hear is that even after they clean up the SPAM, it just “magically” reappears after a few days.
Infection and analysis
*This is important: The latest version of WordPress (2.9.2) is not vulnerable, but if you took a while to upgrade, your site might have been hacked in the past and they left a backdoor hanging in there. So you need to find where it is.
We are seeing three attack behaviors:
1-SPAM is added to all the pages. This is generally done by infecting the wp-blog-header.php or the footer.php inside the templates.
2-SPAM is not visible in the main pages and only added inside the wp-includes.
3-Backdoors are left by the attackers (very common).
When SPAM is added to all the pages, it is easy to spot. If you do a “view” source on your site, you will see lots of links at the bottom:
<a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=rezeptfreie-potenzmittel<br />medikamente rezeptfrei medikamente rezeptfrei <a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=super-kamagra-billig-kaufen; super kamagra billig kaufen <a href="> super kamagra billig kaufen <a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=viagra-kaufen-in-hamburg kaufen viagra<br />..<br /><a href=">
kaufen viagra ..
Our scanner also detects it pretty easily.
When the SPAM is not visible, the easiest way to find them is by doing Google searches using your domain name + SPAM keywords. We explain it in detail here.
Finding the backdoors is a bit more tricky. On most of the cases, we are seeing them hidden inside these places:
-wp-content/uploads – Search for .php files
-wp-includes/index.php or inside wp-includes/js – Search for .php files
However, they can be anywhere. My recommendation is that you download all your files to your desktop and do a mass search for “eval(base64_decode” or large strings inside PHP files. Using an AV will also help to find everything.
Code being used
We are seeing a lots of sites reading the “orders” from this domain: http://dvc44ftgr.com. It is hidden inside the code using base64 encoding:
Plus, this domain is full of spammy sub-domains: citect-software.dvc44ftgr.com, jobs-mississauga.dvc44ftgr.com, trigonometry-calculate.dvc44ftgr.com, download-pinball.dvc44ftgr.com, etc, etc.
If anyone have more information, let us know.
If your site is hacked (or with malware) and you need help, send us an email at firstname.lastname@example.org or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.