Solution for the link injection spam from basicpills

We recently posted about a large scale blackhat SEO campaign by basicpills that infected thousands of WordPress sites over the last few weeks. A lot of people contacted us for help and asked for directions on how to remove those links from all their posts. On large WordPress sites, it can be a very tedius task to go through thousands of posts manually removing each link spam…

To help out, we posted a clean up script here http://tools.sucuri.net/malware/helpers/spam-postremoval.txt for anyone that needs to clean up their site. It will remove link spam from the 4 domains that are the most commonly used in this attack:

antibiotics-shop.com
basicpills.com
generic-ed-pharmacy.com
getrxpills.com

How to run it?

  1. Right click on this link and save as spam-postremoval.txt
  2. Rename the file to spam-postremoval.php and upload to your site via FTP (or SFTP)
  3. Open your browser and go to yoursite.com/spam-postremoval.php
  4. Let the script run and you are all set!

That should remove the malicious links from all your posts. If you need any help, send us an contact us via email – Sucuri Security Plugin to harden your WordPress web sites (just go to the 1-click hardening menu in the plugin).

12 comments
  1. Thanks for the removal tool.

    I have yet not received injections of spam or new admins, but would like to be able to prevent theme for entering spam directly to my database and to add new administrator.

    How do I do that?

  2. the script removed all spam, but all my special characters from my posts like ăîţş were transformed into “?”

  3. Pingback: Hacked
  4. Thank you!  I’ve only recently begun using WordPress, and this has been happening repeatedly.  It has been a pain to either edit each post or delete them all and restore from a back-up.  I don’t understand how this works, but it seems to have removed the spam links.

  5. Am I making a mistake? The script won’t run…it takes me to gray screen that lists the contents of my server.

  6. @0ac56170311eaf397d846dced14314ca:disqus

    There is a bug in the script , the title is not ended, and  the end of the script should have /pre /body /html

    There are also way more sites than in the version you can download here.

    I have sent an updated script to Sucuri support

  7. The link provided to the spam-postremoval.txt file is dead. Any possible way to get an updated working link? Would be of great help. Thanks!

Comments are closed.

You May Also Like