Mass Compromise of Sites at gogvo.com – SEO Spam

A regular topic of discussion the past few months has been the basicpills link injection (a type of blackhat seo spam) on WordPress sites.

If you are not familiar with it, thousands of sites have been infected with basicpills which injects a ton of spammy pharma links all over compromised site (It infiltrates WordPress and attacks the wp-posts table).

So what’s that have to do with gogvo.com getting compromised? Well, in the past, the attackers would inject links directing to 247pharmaceutical.com or amoxilpharm.com, sometimes something else but similar. The seem to have changed tactics, now they are injecting links to an image directory, like:

<a href="http://qgas.co.uk/images/"> Buy Levitra Without Prescription</a>

If you click on any of the images, you are shown a pharma page:

In this specific case, all of sites are hosted at gogvo.com (in the 97.79.238.0/24 and 97.79.239.0/24 networks):

http://extremeaffiliatemarketing.com/images/
http://qgas.co.uk/images/
http://onenetcenter.com/images/
http://americanlandowners.com/images/
http://bikerchickz.ws/images/
http://24hourfsbo.com/images/
http://www.wichitabroadband.com/images/
http://marketing4profit.info/images/
http://affiliatemarketingsecretsvault.com/images/
http://jtc-enterprises.com/images/
http://bcbgdressdiscount.com/images/
http://bukitmerahyouth.org/images/
http://joanbeaulieu.com/images/
http://www.yaleaasa.org/images/
http://blogtorn.com/images/
http://igot-rippedoff.com/images/
http://www.aboutyourhealthyliving.com/images/
http://comunicar.org/images/
http://seeavision.com/images/
http://ebookcenters.com/images/
http://passionoflife.net/images/
http://autoresponder.mm-project.com/images/
http://arelysfranken.com/images/
http://beautifulsummermorning.com/images/
http://unitedretek.co.uk/images/

UPDATE, more domains:
http://takeafreecruise.com/images/
http://teambuildnetwork.org/images/
http://onedollar.mm-project.com/images/
http://over50losingweight.com/images/
http://passionoflife.net/images/
http://joanbeaulieu.com/images/

That’s just a few that we’ve found in the beginning of our analysis. As we started to check for more compromises, we found thousands of sites hosted at gogvo.com (in their gvo datacenter) that had spam in the images directory.

If you have a site hosted with gogvo.com, check it as soon as possible to make sure it is not hacked, and not being used by spammers.

If you have a WordPress site, also make sure it does not have those links injected in the database.

3 comments
  1. When I first started with WordPress about two years ago I made the mistake of forgetting an update on a site that I hadn’t used in a while and got hit by this kind of problem. With Thousands of posts to filter through it was a pain to repair the site so I feel for anyone that has this problem. Since then I’ve learned my lesson and won’t ever let a site slip through my fingers again. Great article on here though It would have been nice when it happened back then to have a post that explained a quicker way to filter through and clean everything out. SQL scrubbing is a bitch…

Comments are closed.

You May Also Like