All the sites at the Walmart Community network hacked

  • May 20, 2010

We posted a few weeks ago that the main site for the Walmart community network was hacked. Well, the problem is a lot bigger than that.

They have web sites for different cities and most of them are hacked too. For example:

  • http://arkansas.walmartcommunity.com/ (65.61.140.162) – SEO spam
  • http://florida.walmartcommunity.com ( 65.61.167.225) – SEO spam (only visible to google)
  • http://chicago.walmartcommunity.com ( 65.61.140.161 ) – SEO Spam
  • http://chicago.walmartcommunity.com/wp-includes/8pmax/ – Fake AV (when coming from google
  • http://philadelphia.walmartcommunity.com/ ( 65.61.167.225 ) – SEO Spam

And probably every one of them, since I just checked the ones from their front page. But they are all using WordPress 2.8.4, hosted a Rackspace and configured the same way.

For example, if you visit the Chicago branch from a Google search of “2008 ford 250 pick trucks” or “monster trucks at jennerstown speedway 2008”, this is where you will be redirected:


Yes, that nasty “fake AV” virus. But if the request is coming from Google itself (the crawler), the page is presented clean with a lot of good keywords:


Why is that? The attackers did that so Google will be able to index the good pages full of keywords, but when a normal user searches and visits the link, they are redirected to a virus page.

As far as the other sites, they are mostly being used by the attackers to increase their PR on google with Spam keywords. That’s the output of our scanner:

This attack is very similar to the one against lean.mit.edu (which is still hacked) and many others. What is interesting is that I am seeing sites hacked where they are using the Walmart sites as their “base” to spread malware:

l'
epayrie white table wine

coffee accessories gevalia

overdraft protection helps

Wake up Walmart! And yes, I tried to contact them and got no reply…

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
Related Categories
You May Also Like