Links Injection on WordPress – Blackhat SEO Spam (basicpills) update

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by, and many other pharma-related domains (mostly located at and

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without  a prescription..

<a href="http://webemed. com/">Buy  Generic  Cialis Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email, or visit us over at Sucuri.

If you have any questions or comments, please let us know.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Tozzophoto

     Is there any way to update the cleaning script?  Does removing xmlrpc help stop this kind of attack?

  • Pingback: Is your website clean? | Life Currents()

  • Delving Eye

    I had Blackhat SEO 1720 on my blog, which means I couldn’t view or log in to the blog from my computer, though the blog looked perfectly fine to everyone else. Just not me, the administrator.

    So, I used another computer to remove this nasty tag by doing the following:

    CHANGED PASSWORD TO A *STRONG* ONE. Do this first before any other step.
    DEACTIVATED, THEN DELETED ALL PLUG-INS. (You can reinstall them after you’ve “cleaned up.”)
    RELOADED LATEST VERSION OF WORDPRESS (even if you already are updated, which I was).

    For me, deleting the plug-ins (I was using Akismet and Snow Fall) did
    the trick. But it’s a good idea to do all the above steps. Afterwards, it’s safe to
    reinstall the plug-ins that you want. Use the latest versions.

    BTW, as I was deleting each plug-in (I did them one at a time to see
    if that one was the culprit), I was getting one new Comment per
    deletion. It was from a Spam site, obviously pinging back to my blog
    with each Blackhat injection that I was deleting!! Incredible. (Like
    when my wallet was stolen, I went to my bank and the officer could watch
    on her screen each attempt the thief made to use my credit card. Ha!
    I’d already disabled them! Gotcha! Yes, the thieves were caught and went to

    That’s why it’s important to change your password FIRST, so when you
    are cleaning your blog of this malware, the idiot on the other end
    cannot get back in.

    So, happy ending. Annoying AVG pop-up is gone, and I’m back
    in my blog. Plus, I didn’t have to transfer any of my
    files/posts/photos/etc., which would have been a real drag. (Boy,
    getting hacked feels like a home invasion. It really put a crimp in the
    last few days. Grrr!)

    BTW, can somebody please disable Steve York in Sugar Hill, GA?

    • Delving Eye

      UPDATE: My husband’s blog had this same BlackHat SEO malware on it, with a slight variation: He could get into his blog but viewers could not — they got the black-squared AVG message.

      He removed all plugins, changed his password and then installed this plugin: Anti-Malware by ELI (Get Off Malicious Scripts). It is rated 5 stars. He then Activated the plugin, and ran it. It cleaned his blog and threw the virus into quarantine. Problem solved.

Share This