Link injection on hacked WordPress sites – Blackhat SEO spam

The last few months we’ve been tracking, and helping webmasters affected by a very large blackhat SEO spam campaign initiated by, and many other domains located at

This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The content changes as they inject spam links into the database. The spam links are all related to pharmacy products leading you to one of the following domains:

The biggest annoyancece for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags) on ALL their posts. This makes it particularly difficult to identify and fix manually (especially on large sites).

Here is the Whois information for the people responsible for this attack:

Nikolaj Brakoveckij
61100, Kharkov, Petra Slinko, 9, 3
Kharkov, 61100

Pavel +3.80444515342
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Pavel +3.80444515342
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email, or visit us over at Sucuri.

If you have any questions or comments, please let us know.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • terehoff

    Serious russian webmasters lol!

  • Pingback: Link injection on hacked WordPress sites – Blackhat SEO spam | Sucuri - MissionEssays()

  • Pingback: 信息安全半月谈 InfoSec Review Biweekly 016 » 信息安全播客()

  • Mark

    Which hosting companies were affected?

  • Pingback: How can I clear my Wordpress blog of malicious scripts and the subsequent search issues? - Quora()

  • Hindi SMS

    well i recently saw an blog which was infected as well with some links. I am really happy to find that sucuri site to scan my blog also i sign up there to track the status.

  • Laura Edgar

    Hi good to join your site. I did find some blackhat links as comments on one of my pages sorry I already deleted them. But I don’t think the spammers went any further than comments. Except that about a week to 2 weeks ago I guess it was my website was pounded with login hits. I tried blocking the IP and it didn’t work. I tried limit login attempts and it wouldn’t work. It was like the bot had latched on like a tic and nothing could pull it out. Finally I added a free plugin called “Project Force Field” as soon as I installed it the hits stopped. I don’t know if it was a coincidence and the bot had actually given up after over 24 hrs of hits or the plugin worked. But it’s a good plugin I believe. It doesn’t effect log in or anything UNLESS there is a brute force strike then it kicks into action. I added it to my other sites just to make sure they aren’t vandalized. I felt so helpless while the attack was happening because nothing was able to stand up to it. I even put the site into “maintenance mode” and that didn’t stop the blast of login attempts. I have Securi free version and also had it at the time so I suppose that’s why it couldn’t actually break through to my database. David Dede and Sucuri thank you so much for your work to protect our WordPress sites. I kinda wish that there were some better laws in place against viscous hackers but I am afraid the new laws would just be used against the innocent in the long run.

Share This