Link injection on hacked WordPress sites – Blackhat SEO spam

The last few months we’ve been tracking, and helping webmasters affected by a very large blackhat SEO spam campaign initiated by basicpills.com, and many other domains located at 212.117.161.190.

This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..


Read More

Solution for the link injection spam from basicpills

We recently posted about a large scale blackhat SEO campaign by basicpills that infected thousands of WordPress sites over the last few weeks. A lot of people contacted us for help and asked for directions on how to remove those links from all their posts. On large WordPress sites, it can be a very tedius task to go through thousands of posts manually removing each link spam…

To help out, we posted a clean up script here http://tools.sucuri.net/malware/helpers/spam-postremoval.txt for anyone that needs to clean up their site. It will remove link spam from the 4 domains that are the most commonly used in this attack:

Read More

Oracle.com, Wetpaint, Spammers, and the Tale of an Unmoderated Wiki

Update: A few hours after this post going live, it seems that Oracle started to clean up the wiki. Very good!

Oracle’s official Wiki (at http://wiki.oracle.com ) is becoming a haven for spammers. The site has a high page rank (PR 7), is completely open and unmoderated, uses a free builder from wetpaint.com (yes, you have to create an account at wetpaint.com to participate there) and looks to have no one taking care of it.

Guess what happens when you visit? Try to visit their main page (wiki.oracle.com – Scanned link) to see by yourself:



Read More

Link injection, basicpills dot com and Blackhat SEO spam

For the last few weeks we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, generic-ed-pharmacy.com, getrxpills.com and a few other domains (all located at 212.117.161.190).

They basically infected thousands of WordPress sites and inject spam links directly in their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

What is very annoying for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags). This typically occurs in ALL of their posts making it hard to identify where the dirty links are, and even more of a challenge to remove them. In some of these sites, we’ve seen the attackers create new admin users allowing access back to the site at any time.

Read More

Grameen Bank web site hacked / infected with spam

The Grameen Bank is in the news today after one of its founders, Muhammad Yunus, was fired from it. You can see the news about it here.

Leaving the politics aside, what interested us is that their main web site is currently hacked and infected with blackhat SEO spam. We tried to contact them a few weeks ago about it, but got no reply (and the site remains hacked).

Even Google recently started to warn users about it with the following message: “This site may be compromised.” in the search results. Just search for “inurl:grameen.com” to verify it.

Grameen bank malware

How they got hacked? They are using a very old version of Joomla, which is probably how the attackers were able to get in. Our malware / spam scanner also finds those issues, which is only displayed to crawlers (not to normal users), which is a common technique on blackhat seo to increase their page rank.

This is the result of our scanner: http://sitecheck.sucuri.net/scanner/?scan=http://www.grameen.com/.

This shows again the important of keeping your sites updated and always monitored.

UCalgary web sites compromised with spam

We were cleaning up a compromised site today (with the unfamous pharma hack), when we saw multiple spam links in the hacked site pointing to ucalgary.ca (big Canadian university). What was interesting is that it was not pointing to a small department sub-domain, but to their main site.

It means attackers were using domains at the University of Calgary to help increase their PR (page rank) and to sell pharmacy related products online.

These were some of the links in their main site that were being used (still live):

Read More

Thailand official foreign affairs / embassy web sites hacked

The Royal Thai (Thailand’s) consulate and embassy web sites (part of their foreign affairs ministry) are currently hacked and infected with a lot of spam (of the pharmacy kind).

Their web site is located at http://www.mfa.go.th and with a quick scan (using our scanner) we can see all the hidden content:

Plus all their pages have multiple hidden links used on blackhat SEO spam campaings:

Read More

Cleaning up an infected website – Part I: WordPress and the Pharma Hack

We get to deal with infected web sites on a daily basis and the most common question we get is how do we clean websites. What steps do we take? What should you do if you want to clean up your site if it gets infected?

This is part one of a small series of posts showing how to clean up sites. We will start with how to clean up “Pharma Hack” on a WordPress driven site due to the popularity. You can follow the series here: http://blog.sucuri.net/category/guides.

*Note that this post covers website clean up only (Mostly applicable to shared servers). If you have a dedicated server (or VPS), there are additional steps to secure it, not covered here.
**If the items contained in this post are more than you want to take on, we are here to help. Visit Sucuri or email us at support@sucuri.net

 

1- Detecting (discovering) that you are hacked

This is the most important step. Most people don’t realize they’ve been exploited, here are a couple things you can do to check your site:

Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any strange titles or spammy results returned on your search. If you see Viagra, Cialis or any other flavor of medicine returned by Google on your search, you’re probably dealing with the Pharma Hack.

If you’re not sure after checking Google, use http://sitecheck.sucuri.net to run a scan. Type your domain name, and if it returns the Pharma Hack (or any other malware) you will see an alert:

Read More

Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14).

This is how they show up in our scanner:

They all had the following code added to their index.php file to contact 188.72.201.11 and 209.160.33.108 to retrieve the list of links to show up:

Read More

Weekly Malware Update – 2010/Feb/11

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

Pharma / Blackhat SEO Spam by stat-tracker.info and others

We are tracking a large number of web sites that got hacked and are redirecting users to pharmacy-related domains. All the sites had the following code added to their PHP files:

Which basically redirect the user if they came from a search engine. Domains used in these attacks (among many others):

stat-tracker.info
listita.info
babbyboom.ru
startds.net
agency-translation.com
bbt-tv.ru
dl.newsite.in

They just act as an intermediary before sending the user to sites like http://centerpills.com/ and similar (to buy fake pharmacy related products).

For hosting providers, I recommend blocking the following IP addresses: 178.238.134.8, 194.28.172.37 and 88.198.16.186.

All the sites infected had old/ vulnerable versions of web applications running. So make sure to keep your sites updated!


To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.