Link injection, basicpills dot com and Blackhat SEO spam

For the last few weeks we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, generic-ed-pharmacy.com, getrxpills.com and a few other domains (all located at 212.117.161.190).

They basically infected thousands of WordPress sites and inject spam links directly in their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

What is very annoying for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags). This typically occurs in ALL of their posts making it hard to identify where the dirty links are, and even more of a challenge to remove them. In some of these sites, we’ve seen the attackers create new admin users allowing access back to the site at any time.

Another worrying point is that these spam domains seem to rank pretty well on Google. Their antics seem to be working, just Google for “Buy generic drugs without prescription” for an example:

Whois information for those domains (same people):

Registrant:
Pavel freeh0st@mail.ru +3.80444515342
getrxpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Registrant:
Pavel dext@coreimpacts.com +3.80444515342
basicpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Here are some of the infected sites (according to Google all of these domains seem to be shared hosts):

freshdaily.ca
aka.me
www.hugeog.com
www.intrepidusa.com
innovationinteaching.org
spinorbinmusic.com
www.caerlas.org.uk
www.slcan.org
chicagopublictransit.org
acme-web-design.info
idevicepro.com
www.unifemcar.org
aiisf.org
www.jimhudson.org
www.f2a.org
www.aafcs-ca.org
www.jazzbassment.com
ffw.com.br (popular Brazilian portal)
www.b2b-i.com
www.winnipegfolkfestival.ca
www.awrta.org
legoengineering.com
wemc.org
www.ssta.org
www.zentra.com
recitpresco.qc.ca
guildhall.smu.edu
dcms.beloit.edu
timecapsule.asu.edu
moodle.westwind.ab.ca
www.searchengineacademy.com


For the site owners out there, you can check if your site has been infected by scanning it with Sucuri Sitecheck. Sitecheck is our free malware and spam scanner. It will show you if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately and checking the permissions of your wp-config.php file. If you need help cleaning up the mess, send us an email support@sucuri.net or over at Sucuri.

If you have any questions or comments, please let us know.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Sven

    How do they inject spam via the wp-post table? And how do they created new admin users?

    These are essential questions to be able to stop it on our side (WP users)

  • Dagbar

    I have been hit with this on every hosted WP site I run Multi domain names all latest WP code Strong passwords I dont use wp_ for SQL prefix. I am about to lose my mind trying to stop this.

  • Pingback: Solution for the link injection spam from basicpills | Sucuri()

  • Pingback: Link injection on hacked WordPress sites – Blackhat SEO spam | Sucuri – seo()

  • http://www.cottonrohrscheib.com Cotton Rohrscheib

    This is getting extremely frustrating, we have removed these things several times and rescanned to see that we were okay and in only a matter of hours we saw that we had malware again. We have also looked at several posts out there outlining how to remove this hack but none of them seem to work. Any suggestions?

  • Pingback: Rebuilding From Scratch « Access This()

Share This