• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

SEO SPAM network – Details of the wp-includes infection

May 25, 2010David Dede

0
SHARES
FacebookTwitterSubscribe

We have been digging lately in a large SEO SPAM network which is using thousands of compromised sites to increase their page rankings and spread malware. They are similar to the one we reported earlier affecting lean.mit.edu, but this time they seem focused only on WordPress web sites.

Sites compromised.

The list is big. Some of the ones that catched my eyes were:

Mindtouch.com (Popular open source product)
chapters.asmconline.org (American Society of Military comptrollers)
blog.woodward.edu (university)
content.hks.harvard.edu (university)
cima.ned.org (National Endowment for Democracy)
scripts.mit.edu
web.mit.edu
badminton.mit.edu
people.oregonstate.edu
whi.wts.edu
blogs.hartwick.edu
virtualcms.net

And the list goes on and on and on…

Attack method

All the sites infected are using the latest WordPress version and had a PHP script injected inside their wp-includes directory. The script name is random and it does two things:

  1. For a search engine, it shows a bunch of keywords (cialis, viagra, movie downloads, etc)
  2. For a normal user coming from Google, they are redirected to a web site with malware or to another site for more spam.

Example (do not click unless you know what you are doing):

http://chapters.asmconline.org/wp-includes/dh1h6/exqdmid.php?gottnci=282270
http://www.evolvingsolutions.ca/blog/wp-includes/js/tinymce/themes/advanced/images/xp/7fd66be0088be5bde44d8d7a804d5921
http://badminton.mit.edu/wp-includes/js/codepress/images/numbers.php?p=vente-viagra-en-ligne
http://blog.woodward.edu/SGA/wp-includes/js/crop/queeHoriz.php?p=buy-cialis

Finding more sites

Finding more sites is easy. Just search on Google for “inurl:wp-includes” and choose your preferred spam word. Examples:

Search for .org sites and viagra
Searching for airsoft eye gear
Searching for free movie download

Example 1 (Searching for Viagra on harvard.edu):

Example 2 (Viagra on blog.mindtouch.com)

The code being used is probably very similar to this one MW:SPAM:S2, used on a previous spam attack: https://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.html

If you suspect your site might be infected, search for these keywords and your site name.

If your site is hacked (or with malware) and you need help, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

0
SHARES
FacebookTwitterSubscribe

Categories: UncategorizedTags: Hacked Websites, SEO Spam

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Aaron Fulkerson

    May 25, 2010

    Thanks.

  2. Patrick

    May 25, 2010

    Any thought yet on the exploit vector? Seems like hosting provider is less likely. A plugin maybe?

  3. Anonymous

    May 26, 2010

    Hello
    Great work
    http://www.redalkemi.com/

  4. Indian hair

    May 26, 2010

    Thanks for your great job.
    http://www.shopindianhair.com

  5. Virtual Office

    March 25, 2012

    Use WP Security plugins and WP protection plugins to get back to the hackers

  6. web design company los angeles

    November 22, 2013

    You are exactly right about the SEO techniques and the best is the social monkee thanks for sharing this great knowledge.

  7. Offshore Services.

    November 22, 2013

    Thanks for the shared this post with us…

  8. OnlinePhDUK

    November 22, 2013

    my god, very bad way to do seo…

  9. man & van hire london

    November 25, 2013

    Thanks for the shared this informative post with us.. I really thankful to you.. its very helpful and informative post for me and Others new SEO. looking forward new post from you..

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.