Skip links

More spam: C&C server

We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site:

And when this site went down, guess what is showing up on Google:

Yes, that’s around 202k different pages that have been hacked and are showing up those results. When the was up, instead of that error it would spill SPAM to search engines (5 mg tadalafil, viagra, etc).

Just some of the affected sites: (Archaeological Institute of America) (Center for sustainable Energy) (International Emissions trading association) (European Financial planning association)

Finding them on Google is pretty simple as well: ” 5mg tadalafil” or you can also search for: “” “Warning: file_get_contents” which is what happens when you try to access a hacked site and the google-traffic-analytics site is offline.

As far as cleaning up an affected site, it looks like the attackers added a base64 encoded eval inside the index.php file to load and present the SPAM if the request came from a search engine. Cleaning that up should be enough to remove the spam/error itself, but you still have to find the root cause that allowed your site to get hacked.

We will post more details when we have them.

Need help with a hacked site? Check out for a complete malware removal and site monitoring solution.

  • marc

    thanks for this post! I’m working on the website and i just deleted several php files from the root directory (c.php, l.php, cart.php, etc.) and a load of files in our img directory. Wondering if there is anything else to do, but wait and see if our search results recover?

    I’m not sure that I understand the connection to – do you think there are any specific fixes to do here? So far, I’ve only deleted files and changed the ftp password…

  • Eobyte

    My website was being redirected to They had added a line to my index.php that started with “if($_SERVER[base64_decode” and continued on with a bunch of junk. it was on line 2. I restored the original file but probably could have just deleted that line. Additionally, in my root folder, the file .htaccess had one line added in the middle of the file. It read “RewriteRule ^(p=.*)$ index.php?$1”. My site is back to normal but I don’t yet know how to prevent it again. I hope this helps.