Website Cross-contamination: Blackhat SEO Spam Malware

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

SiteCheck SEO Spam Results

We commenced clean up, and discovered they have multiple websites in their hosting environment, all WordPress, and one of the installations was severely outdated running WordPress 3.0.4 (This will come to play later in the post).

As we analyzed the site, we found 1 single line of Eval base64 had been injected into their website theme framework:

Eval Base64 Injection

At this point we know this isn’t supposed to be there so we decode the string to see what kind of badness it’s inserting into the website, here’s the results:

Decoded Eval Injection

You may not have caught what was going on because we’ve blanked out part of the path in the image. The eval string when decoded leads back to the payload file named “runner.php”. This file was inserted on another website in the same shared hosting environment.

The important point to take from this is the actual payload file just happens to be on the outdated WordPress instance that we noted earlier, this is not uncommon.

Now we head over to runner.php on the other website to see what we find, this is all sorts of ugly.

Eval Payload File

The string is huge so we didn’t include the whole thing in the image. Otherwise you would be scrolling down this page for a while.

Looks nasty, right? Well, it is!

Here is a list of the Pharma keyword references used in the original payload.

What this code does is it infultrates the exploited website(s) and replaces things like meta, headlines, and keywords with its choice of Pharma content including links back to malicious ad websites. The challenge here is it will overtake your SERPs overtime, causing all sorts of problems for your visitors, your page rankings, and will likely get you blacklisted.

The long term affects can be devastating for your page rankings as you will likely have to wait for Google to reindex your site which takes a while, and the cached page results may stick around for quite some time potentially driving visitors elsewhere.

Lessons Learned

  • Keep your websites updated – it is likely this was an automated attack targeting a known vulnerable version of software
  • Cross-site contamination is real! If you have multiple sites in a shared hosting environment, you’re accepting a hire risk of more than one of your sites being infected if one gets exploited.
  • Blackhat SEO Spam has long lasting affects. Don’t take it lightly, it’s bad for the internet as a whole, it’s very bad for your users, and extremely painful for you in the long run.
  • Did I mention you should ensure your software is up-to-date? Oh yah, I did! I can’t emphasize this enough. If it’s outdated, update ASAP. If you don’t need it, remove it now!

If you’re experiencing these issues and need a hand, email Sucuri Security for assistance. Have you scanned your websites? Do it free with Sucuri SiteCheck, it never hurts to check!

Scan your website for free:
About Dre Armeda

I'm a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. I'm infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place! ~dremeda