• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Link injection, basicpills dot com and Blackhat SEO spam

March 12, 2011David Dede

FacebookTwitterSubscribe

For the last few weeks we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, generic-ed-pharmacy.com, getrxpills.com and a few other domains (all located at 212.117.161.190).

They basically infected thousands of WordPress sites and inject spam links directly in their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

What is very annoying for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags). This typically occurs in ALL of their posts making it hard to identify where the dirty links are, and even more of a challenge to remove them. In some of these sites, we’ve seen the attackers create new admin users allowing access back to the site at any time.

Another worrying point is that these spam domains seem to rank pretty well on Google. Their antics seem to be working, just Google for “Buy generic drugs without prescription” for an example:

Whois information for those domains (same people):

Registrant:
Pavel freeh0st@mail.ru +3.80444515342
getrxpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Registrant:
Pavel dext@coreimpacts.com +3.80444515342
basicpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Here are some of the infected sites (according to Google all of these domains seem to be shared hosts):

freshdaily.ca
aka.me
www.hugeog.com
www.intrepidusa.com
innovationinteaching.org
spinorbinmusic.com
www.caerlas.org.uk
www.slcan.org
chicagopublictransit.org
acme-web-design.info
idevicepro.com
www.unifemcar.org
aiisf.org
www.jimhudson.org
www.f2a.org
www.aafcs-ca.org
www.jazzbassment.com
ffw.com.br (popular Brazilian portal)
www.b2b-i.com
www.winnipegfolkfestival.ca
www.awrta.org
legoengineering.com
wemc.org
www.ssta.org
www.zentra.com
recitpresco.qc.ca
guildhall.smu.edu
dcms.beloit.edu
timecapsule.asu.edu
moodle.westwind.ab.ca
www.searchengineacademy.com


For the site owners out there, you can check if your site has been infected by scanning it with Sucuri Sitecheck. Sitecheck is our free malware and spam scanner. It will show you if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately and checking the permissions of your wp-config.php file. If you need help cleaning up the mess, send us an email support@sucuri.net or over at Sucuri.

If you have any questions or comments, please let us know.

FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, Malware Updates, SEO Spam

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Sven

    March 12, 2011

    How do they inject spam via the wp-post table? And how do they created new admin users?

    These are essential questions to be able to stop it on our side (WP users)

  2. Dagbar

    March 16, 2011

    I have been hit with this on every hosted WP site I run Multi domain names all latest WP code Strong passwords I dont use wp_ for SQL prefix. I am about to lose my mind trying to stop this.

  3. Cotton Rohrscheib

    June 25, 2011

    This is getting extremely frustrating, we have removed these things several times and rescanned to see that we were okay and in only a matter of hours we saw that we had malware again. We have also looked at several posts out there outlining how to remove this hack but none of them seem to work. Any suggestions?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.