Links Injection on WordPress - Blackhat SEO Spam (basicpills) update

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, and many other pharma-related domains (mostly located at 212.117.161.190 and 212.117.168.214).

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without a prescription..
<a href="http://webemed. com/">Buy Generic Cialis Onlin.
<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

247pharmaceutical.com
acomplia-online-price.com
acomplia-online-price.net
amoxil-cheap.net
amoxilpharm.com
ampicillin-pharm.com
ampicillin-pharm.net
ampicillin-pills.com
ampicillinpills.com
ampicillin-pills.net
ampicillinpills.net
antibioticsordrer.com
antibiotics-shop.com
basicpills.com
buydiflucancheap.com
buyflagylcheap.com
buylasixcheap.com
buyLasixcheap.com
buylevaquincheap.com
buynolvadexcheap.com
camagracheap.com
camagracheap.net
camagra-pharm.com
camagra-pharm.net
cheappillsonline.net
cialis-online-price.com
cialis-online-price.net
cialis-pharm.com
cytotecbuyonline.com
dacompliasale.com
dlevitraonline.com
dzithromaxsbuy.com
e-pharmacy-online.com
generic-ed-pharmacy.com
getrxpills.com
great-levitra.com
healthcarexyz.com
kamagrasorder.com
levitra-online-price.net
onlineacompliacheap.com
onlineacompliacheap.net
onlinecialischeap.com
onlinecialischeap.net
onlinelevitracheap.com
onlinelevitracheap.net
onlineviagracheap.com
onlineviagracheap.net
peampicillinonline.com
rx-prices.com
sclomidbuy.com
sdoxycyclinebuy.com
softviagraonline.com
spropecia-online.com
spropecia-online.net
sviagrarbuy.com
viagra-online-price.com
viagra-online-price.net
vicialisabuy.com
webemed.com
westernunion-locations.com
women-health-shop.com
wpropecianonline.com

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve york71steve@yahoo.com
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email support@sucuri.net, or visit us over at Sucuri.

If you have any questions or comments, please let us know.

I had Blackhat SEO 1720 on my blog, which means I couldn’t view or log in to the blog from my computer, though the blog looked perfectly fine to everyone else. Just not me, the administrator.

So, I used another computer to remove this nasty tag by doing the following:

CHANGED PASSWORD TO A *STRONG* ONE. Do this first before any other step.
DEACTIVATED, THEN DELETED ALL PLUG-INS. (You can reinstall them after you’ve “cleaned up.”)
RELOADED LATEST VERSION OF WORDPRESS (even if you already are updated, which I was).
RELOADED HEADER/THEME.

For me, deleting the plug-ins (I was using Akismet and Snow Fall) did
the trick. But it’s a good idea to do all the above steps. Afterwards, it’s safe to
reinstall the plug-ins that you want. Use the latest versions.

BTW, as I was deleting each plug-in (I did them one at a time to see
if that one was the culprit), I was getting one new Comment per
deletion. It was from a Spam site, obviously pinging back to my blog
with each Blackhat injection that I was deleting!! Incredible. (Like
when my wallet was stolen, I went to my bank and the officer could watch
on her screen each attempt the thief made to use my credit card. Ha!
I’d already disabled them! Gotcha! Yes, the thieves were caught and went to
prison.)

That’s why it’s important to change your password FIRST, so when you
are cleaning your blog of this malware, the idiot on the other end
cannot get back in.

So, happy ending. Annoying AVG pop-up is gone, and I’m back
in my blog. Plus, I didn’t have to transfer any of my
files/posts/photos/etc., which would have been a real drag. (Boy,
getting hacked feels like a home invasion. It really put a crimp in the
last few days. Grrr!)

BTW, can somebody please disable Steve York in Sugar Hill, GA?

4 comments

Tozzophoto says:
June 12, 2011 at 3:50 pm
Is there any way to update the cleaning script? Does removing xmlrpc help stop this kind of attack?
Pingback: Is your website clean? | Life Currents
Delving Eye says:
April 5, 2014 at 8:37 pm
I had Blackhat SEO 1720 on my blog, which means I couldn’t view or log in to the blog from my computer, though the blog looked perfectly fine to everyone else. Just not me, the administrator.
So, I used another computer to remove this nasty tag by doing the following:
CHANGED PASSWORD TO A *STRONG* ONE. Do this first before any other step.
DEACTIVATED, THEN DELETED ALL PLUG-INS. (You can reinstall them after you’ve “cleaned up.”)
RELOADED LATEST VERSION OF WORDPRESS (even if you already are updated, which I was).
RELOADED HEADER/THEME.
For me, deleting the plug-ins (I was using Akismet and Snow Fall) did
the trick. But it’s a good idea to do all the above steps. Afterwards, it’s safe to
reinstall the plug-ins that you want. Use the latest versions.
BTW, as I was deleting each plug-in (I did them one at a time to see
if that one was the culprit), I was getting one new Comment per
deletion. It was from a Spam site, obviously pinging back to my blog
with each Blackhat injection that I was deleting!! Incredible. (Like
when my wallet was stolen, I went to my bank and the officer could watch
on her screen each attempt the thief made to use my credit card. Ha!
I’d already disabled them! Gotcha! Yes, the thieves were caught and went to
prison.)
That’s why it’s important to change your password FIRST, so when you
are cleaning your blog of this malware, the idiot on the other end
cannot get back in.
So, happy ending. Annoying AVG pop-up is gone, and I’m back
in my blog. Plus, I didn’t have to transfer any of my
files/posts/photos/etc., which would have been a real drag. (Boy,
getting hacked feels like a home invasion. It really put a crimp in the
last few days. Grrr!)
BTW, can somebody please disable Steve York in Sugar Hill, GA?
1. Delving Eye says:
  April 18, 2014 at 5:54 pm
  UPDATE: My husband’s blog had this same BlackHat SEO malware on it, with a slight variation: He could get into his blog but viewers could not — they got the black-squared AVG message.
  He removed all plugins, changed his password and then installed this plugin: Anti-Malware by ELI (Get Off Malicious Scripts). It is rated 5 stars. He then Activated the plugin, and ran it. It cleaned his blog and threw the virus into quarantine. Problem solved.