Blackhat SPAM SEO From – Targeting Joomla

We are tracking another Blackhat SEO SPAM network being managed by By the name of the domain, you can guess that they are targeting Joomla sites.

When you visit a compromised site, you don’t see anything wrong, but if you view the source, there is a large block of spammy links hidden in there:

<span style="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px">
<a href="http://www&#46nigeriavillagesquare&#46com/t3-assets/css/index&#46php">ACD
 Systems Canvas 11 with GIS Plus</a><br><a href="http://www&#46nigeriavillagesquar…. hundreds more links…

All those links are generated by (or global.php), which gets called on the Joomla site by the following code added to the templates index.php:

<?php readfile("");

If you have a Joomla site make sure it is updated. You can check if it has not been compromised with this crud by viewing the source of your site, or scanning it in here: Sucuri SiteCheck. If you see a warning about SEO SPAM on our scanner, you know your site is hacked.

What’s interesting is that if you search for on Google, you will get thousands of sites found because of this warning:

“Warning: readfile(” failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or …

Which probably happened when the joomlapoject site was down, causing all those errors.

If your site is hacked or compromised, we can help! Sign up here for any of our plans to get it sorted out:

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • ender283

    This particular SEO SPAM is not Joomla specific. It has also targeted non-Joomla targets (such as wordpress and independent platforms). Although it uses the address “joomlapoject” (with the missing ‘r’) it does not have to do with Joomla. A breach like this is a direct access issue (usually a compromised FTP account). So updating Joomla (although always a good idea) will most likely not solve this issue. I hope this helps someone who is in a similar situation.

Share This