This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:
<a href="http://basicpills . com/">online prescription drugs without a prescription..
<a href="http://generic-ed-pharmacy . com/">Buy Generic Viagra Onlin.
<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..
The content changes as they inject spam links into the database. The spam links are all related to pharmacy products leading you to one of the following domains:
The biggest annoyancece for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags) on ALL their posts. This makes it particularly difficult to identify and fix manually (especially on large sites).
Here is the Whois information for the people responsible for this attack:
Nikolaj Brakoveckij firstname.lastname@example.org
61100, Kharkov, Petra Slinko, 9, 3
Pavel email@example.com +3.80444515342
Pavel firstname.lastname@example.org +3.80444515342
For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.
If you have any questions or comments, please let us know.