Solution for the link injection spam from basicpills

We recently posted about a large scale blackhat SEO campaign by basicpills that infected thousands of WordPress sites over the last few weeks. A lot of people contacted us for help and asked for directions on how to remove those links from all their posts. On large WordPress sites, it can be a very tedius task to go through thousands of posts manually removing each link spam…

To help out, we posted a clean up script here http://tools.sucuri.net/malware/helpers/spam-postremoval.txt for anyone that needs to clean up their site. It will remove link spam from the 4 domains that are the most commonly used in this attack:

antibiotics-shop.com
basicpills.com
generic-ed-pharmacy.com
getrxpills.com

How to run it?

  1. Right click on this link and save as spam-postremoval.txt
  2. Rename the file to spam-postremoval.php and upload to your site via FTP (or SFTP)
  3. Open your browser and go to yoursite.com/spam-postremoval.php
  4. Let the script run and you are all set!

That should remove the malicious links from all your posts. If you need any help, send us an contact us via email – Sucuri Security Plugin to harden your WordPress web sites (just go to the 1-click hardening menu in the plugin).

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.