Links Injection on WordPress – Blackhat SEO Spam (basicpills) update

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, and many other pharma-related domains (mostly located at 212.117.161.190 and 212.117.168.214).

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without  a prescription..

<a href="http://webemed. com/">Buy  Generic  Cialis Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

247pharmaceutical.com
acomplia-online-price.com
acomplia-online-price.net
amoxil-cheap.net
amoxilpharm.com
ampicillin-pharm.com
ampicillin-pharm.net
ampicillin-pills.com
ampicillinpills.com
ampicillin-pills.net
ampicillinpills.net
antibioticsordrer.com
antibiotics-shop.com
basicpills.com
buydiflucancheap.com
buyflagylcheap.com
buylasixcheap.com
buyLasixcheap.com
buylevaquincheap.com
buynolvadexcheap.com
camagracheap.com
camagracheap.net
camagra-pharm.com
camagra-pharm.net
cheappillsonline.net
cialis-online-price.com
cialis-online-price.net
cialis-pharm.com
cytotecbuyonline.com
dacompliasale.com
dlevitraonline.com
dzithromaxsbuy.com
e-pharmacy-online.com
generic-ed-pharmacy.com
getrxpills.com
great-levitra.com
healthcarexyz.com
kamagrasorder.com
levitra-online-price.net
onlineacompliacheap.com
onlineacompliacheap.net
onlinecialischeap.com
onlinecialischeap.net
onlinelevitracheap.com
onlinelevitracheap.net
onlineviagracheap.com
onlineviagracheap.net
peampicillinonline.com
rx-prices.com
sclomidbuy.com
sdoxycyclinebuy.com
softviagraonline.com
spropecia-online.com
spropecia-online.net
sviagrarbuy.com
viagra-online-price.com
viagra-online-price.net
vicialisabuy.com
webemed.com
westernunion-locations.com
women-health-shop.com
wpropecianonline.com

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve york71steve@yahoo.com
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email support@sucuri.net, or visit us over at Sucuri.

If you have any questions or comments, please let us know.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: Is your website clean? | Life Currents()

  • http://delvingeye.com Delving Eye

    I had Blackhat SEO 1720 on my blog, which means I couldn’t view or log in to the blog from my computer, though the blog looked perfectly fine to everyone else. Just not me, the administrator.

    So, I used another computer to remove this nasty tag by doing the following:

    CHANGED PASSWORD TO A *STRONG* ONE. Do this first before any other step.
    DEACTIVATED, THEN DELETED ALL PLUG-INS. (You can reinstall them after you’ve “cleaned up.”)
    RELOADED LATEST VERSION OF WORDPRESS (even if you already are updated, which I was).
    RELOADED HEADER/THEME.

    For me, deleting the plug-ins (I was using Akismet and Snow Fall) did
    the trick. But it’s a good idea to do all the above steps. Afterwards, it’s safe to
    reinstall the plug-ins that you want. Use the latest versions.

    BTW, as I was deleting each plug-in (I did them one at a time to see
    if that one was the culprit), I was getting one new Comment per
    deletion. It was from a Spam site, obviously pinging back to my blog
    with each Blackhat injection that I was deleting!! Incredible. (Like
    when my wallet was stolen, I went to my bank and the officer could watch
    on her screen each attempt the thief made to use my credit card. Ha!
    I’d already disabled them! Gotcha! Yes, the thieves were caught and went to
    prison.)

    That’s why it’s important to change your password FIRST, so when you
    are cleaning your blog of this malware, the idiot on the other end
    cannot get back in.

    So, happy ending. Annoying AVG pop-up is gone, and I’m back
    in my blog. Plus, I didn’t have to transfer any of my
    files/posts/photos/etc., which would have been a real drag. (Boy,
    getting hacked feels like a home invasion. It really put a crimp in the
    last few days. Grrr!)

    BTW, can somebody please disable Steve York in Sugar Hill, GA?

    • http://delvingeye.com Delving Eye

      UPDATE: My husband’s blog had this same BlackHat SEO malware on it, with a slight variation: He could get into his blog but viewers could not — they got the black-squared AVG message.

      He removed all plugins, changed his password and then installed this plugin: Anti-Malware by ELI (Get Off Malicious Scripts). It is rated 5 stars. He then Activated the plugin, and ran it. It cleaned his blog and threw the virus into quarantine. Problem solved.