Link injection on hacked WordPress sites – Blackhat SEO spam

The last few months we’ve been tracking, and helping webmasters affected by a very large blackhat SEO spam campaign initiated by basicpills.com, and many other domains located at 212.117.161.190.

This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..


The content changes as they inject spam links into the database. The spam links are all related to pharmacy products leading you to one of the following domains:

antibioticsordrer.com
antibiotics-shop.com
basicpills.com
buynolvadexcheap.com
cheappillsonline.net
dacompliasale.com
dlevitraonline.com
dzithromaxsbuy.com
generic-ed-pharmacy.com
getrxpills.com
kamagrasorder.com
onlineacompliacheap.com
onlinecialischeap.net
onlinelevitracheap.com
onlinelevitracheap.net
onlineviagracheap.com
onlineviagracheap.net
peampicillinonline.com
rx-prices.com
sclomidbuy.com
sdoxycyclinebuy.com
sviagrarbuy.com
vicialisabuy.com
wpropecianonline.com

The biggest annoyancece for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags) on ALL their posts. This makes it particularly difficult to identify and fix manually (especially on large sites).

Here is the Whois information for the people responsible for this attack:

Registrant:
Nikolaj Brakoveckij godaddy@torba.com
61100, Kharkov, Petra Slinko, 9, 3
Kharkov, 61100
UKRAINE
+380.500634264

Registrant:
Pavel freeh0st@mail.ru +3.80444515342
getrxpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Registrant:
Pavel dext@coreimpacts.com +3.80444515342
basicpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email support@sucuri.net, or visit us over at Sucuri.

If you have any questions or comments, please let us know.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.