We have been digging lately in a large SEO SPAM network which is using thousands of compromised sites to increase their page rankings and spread malware. They are similar to the one we reported earlier affecting lean.mit.edu, but this time they seem focused only on WordPress web sites.
The list is big. Some of the ones that catched my eyes were:
Mindtouch.com (Popular open source product)
chapters.asmconline.org (American Society of Military comptrollers)
cima.ned.org (National Endowment for Democracy)
And the list goes on and on and on…
All the sites infected are using the latest WordPress version and had a PHP script injected inside their wp-includes directory. The script name is random and it does two things:
- For a search engine, it shows a bunch of keywords (cialis, viagra, movie downloads, etc)
- For a normal user coming from Google, they are redirected to a web site with malware or to another site for more spam.
Example (do not click unless you know what you are doing):
Finding more sites
Finding more sites is easy. Just search on Google for “inurl:wp-includes” and choose your preferred spam word. Examples:
Example 1 (Searching for Viagra on harvard.edu):
Example 2 (Viagra on blog.mindtouch.com)
The code being used is probably very similar to this one MW:SPAM:S2, used on a previous spam attack: http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.html
If you suspect your site might be infected, search for these keywords and your site name.
If your site is hacked (or with malware) and you need help, send us an email at firstname.lastname@example.org or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.