For the last few weeks we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, generic-ed-pharmacy.com, getrxpills.com and a few other domains (all located at 18.104.22.168).
They basically infected thousands of WordPress sites and inject spam links directly in their databases (the wp-post table). These are some of the links you will see in an infected site:
<a href="http://basicpills . com/">online prescription drugs without a prescription..
<a href="http://generic-ed-pharmacy . com/">Buy Generic Viagra Onlin.
<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..
What is very annoying for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags). This typically occurs in ALL of their posts making it hard to identify where the dirty links are, and even more of a challenge to remove them. In some of these sites, we’ve seen the attackers create new admin users allowing access back to the site at any time.
Another worrying point is that these spam domains seem to rank pretty well on Google. Their antics seem to be working, just Google for “Buy generic drugs without prescription” for an example:
Whois information for those domains (same people):
Pavel email@example.com +3.80444515342
Pavel firstname.lastname@example.org +3.80444515342
Here are some of the infected sites (according to Google all of these domains seem to be shared hosts):
ffw.com.br (popular Brazilian portal)
For the site owners out there, you can check if your site has been infected by scanning it with Sucuri Sitecheck. Sitecheck is our free malware and spam scanner. It will show you if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately and checking the permissions of your wp-config.php file. If you need help cleaning up the mess, send us an email email@example.com or over at Sucuri.
If you have any questions or comments, please let us know.