The last few months we’ve been tracking, and helping webmasters affected by a very large blackhat SEO spam campaign initiated by basicpills.com, and many other domains located at 212.117.161.190.
This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:
<a href="http://basicpills . com/">online prescription drugs without a prescription..
<a href="http://generic-ed-pharmacy . com/">Buy Generic Viagra Onlin.
<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..
The content changes as they inject spam links into the database. The spam links are all related to pharmacy products leading you to one of the following domains:
antibioticsordrer.com
antibiotics-shop.com
basicpills.com
buynolvadexcheap.com
cheappillsonline.net
dacompliasale.com
dlevitraonline.com
dzithromaxsbuy.com
generic-ed-pharmacy.com
getrxpills.com
kamagrasorder.com
onlineacompliacheap.com
onlinecialischeap.net
onlinelevitracheap.com
onlinelevitracheap.net
onlineviagracheap.com
onlineviagracheap.net
peampicillinonline.com
rx-prices.com
sclomidbuy.com
sdoxycyclinebuy.com
sviagrarbuy.com
vicialisabuy.com
wpropecianonline.com
The biggest annoyancece for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags) on ALL their posts. This makes it particularly difficult to identify and fix manually (especially on large sites).
Here is the Whois information for the people responsible for this attack:
Registrant:
Nikolaj Brakoveckij godaddy@torba.com
61100, Kharkov, Petra Slinko, 9, 3
Kharkov, 61100
UKRAINE
+380.500634264Registrant:
Pavel freeh0st@mail.ru +3.80444515342
getrxpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489Registrant:
Pavel dext@coreimpacts.com +3.80444515342
basicpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489
For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.
If you need help cleaning up the mess, send us an email support@sucuri.net, or visit us over at Sucuri.
If you have any questions or comments, please let us know.
Luke Leal
Denis Sinegubko
Ben Martin
John Castro
Rodolfo Assis
Marc-Alexandre Montpas
Antony Garand
Krasimir Konov
7 comments
Serious russian webmasters lol!
Which hosting companies were affected?
well i recently saw an blog which was infected as well with some links. I am really happy to find that sucuri site to scan my blog also i sign up there to track the status.
Hi good to join your site. I did find some blackhat links as comments on one of my pages sorry I already deleted them. But I don’t think the spammers went any further than comments. Except that about a week to 2 weeks ago I guess it was my website was pounded with login hits. I tried blocking the IP and it didn’t work. I tried limit login attempts and it wouldn’t work. It was like the bot had latched on like a tic and nothing could pull it out. Finally I added a free plugin called “Project Force Field” as soon as I installed it the hits stopped. I don’t know if it was a coincidence and the bot had actually given up after over 24 hrs of hits or the plugin worked. But it’s a good plugin I believe. It doesn’t effect log in or anything UNLESS there is a brute force strike then it kicks into action. I added it to my other sites just to make sure they aren’t vandalized. I felt so helpless while the attack was happening because nothing was able to stand up to it. I even put the site into “maintenance mode” and that didn’t stop the blast of login attempts. I have Securi free version and also had it at the time so I suppose that’s why it couldn’t actually break through to my database. David Dede and Sucuri thank you so much for your work to protect our WordPress sites. I kinda wish that there were some better laws in place against viscous hackers but I am afraid the new laws would just be used against the innocent in the long run.
Comments are closed.