• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malicious WordPress Subdirectory Installs For SEO Spam

October 25, 2016Fernando BarbosaEspanolPortugues

FacebookTwitterSubscribe

Remediating over 500 infected sites per day, we see attacks executed at varying levels of complexity. The tactics attackers use to compromise a site provide insight into their motives.

Some write elegant code and cover their trails carefully, while others create simple attacks that can be applied broadly but aren’t well concealed.

Spammers never cease in their quest to make use of resources of hacked sites, especially in black hat SEO schemes. In most cases, spam injections and doorway scripts are quite hard to detect. This case however, was different in that the attackers did not put much effort into hiding their presence from the website owner.

Abusing Server Resources

In this spam investigation, we analyzed a case in which the attackers were hacking sites to profit from their SEO and take advantage of server resources. The technique consists of abusing storage and database resources by installing spammy WordPress sites (Oakley and Ray Ban spam in our case) in subdirectories of the original site. We have seen instances of this before and apparently the tactic is still working for spammers.

Below is an example of a subsite that was installed on the hacked WordPress site.

Spam WordPress site installed in subdirectory
Malicious WordPress install used for spam in a subdirectory on the hacked server.

Unlike malicious redirects or defacements, this type of hack does not change the appearance of the infected site. The tactic used here includes hiding malicious sites within the legitimate site’s directory. By installing their spammy sites in subdirectories, they often avoid detection by the website owner while still abusing their resources. Website owners who don’t monitor the security of their site may not discover the attack until they hear complaints from visitors, get blacklisted, or receive a notification from their hosting provider.

Identifying Patterns

With SEO spam, there seems to be no end in sight; hackers continue to develop new ways of infecting sites. In order to combat this, a critical responsibility of our research and remediation teams is to identify patterns.

During our investigation, we identified three similarities amongst websites infected with this type of injection.

  • 1. The attackers added 2 directories in the root (./oakleyer and ./raybaner) with WordPress installations (v4.0.12).
  • 2. Attackers took the database credentials from the original site’s wp-config.php, and used different table prefixes for the spammy WordPress subsites.
  • 3. There were also four specific files that helped automate blog management in both ./oakleyer/wp-admin and ./raybaner/wp-admin:
    • etchk.php – verifies if there is a post in the database with a given title.
    • etpost.php – creates or updates spam posts in the database.
    • etreply.php – posts comments.
    • map.php – creates sitemaps for the SPAM sub-sites.

Instead of using an XML-RPC API (a remote procedure call) to update the sub-sites, we see that they inserted four .php files to automate WordPress management. Automating blog management allows the hackers to update posts and comments on multiple spammy sub-sites at once.

Utilizing Google Search Console

How do you know if an attacker is spamming your site?

While not a comprehensive exploration, a quick check can easily be done via Google Search Console. If you see unrelated search queries, it’’s a strong indication of an SEO hack. Another simple search of [site:you-site-domain-here.com cheap] can also provide insight.  Keywords like “cheap” and “free” are often used by spammers. These are good terms to check if you suspect that your site may be hacked. If the search returns pages that don’t belong to your site, spammers may be using it.

In this case, it was easy to identify the malicious directories in the site root. The straightforward naming conventions (./oakleyer and ./raybaner) used for the additional directories clearly indicated that we had found the sunglasses spam location. However, it is unrealistic to manually check the integrity of your site’s files and directory structure consistently. In fact, many hackers count on the fact that website owners are not staying vigilant.

A more reliable approach is integrity monitoring of your server file structure as part of a complete website security solution.

FacebookTwitterSubscribe

Categories: WordPress SecurityTags: Malware Updates, Obfuscation, SEO Spam, Server Security

About Fernando Barbosa

Fernando Barbosa is a Sucuri's Software Development Manager who joined the company in 2012. Fernando's main responsibilities include leading Sucuri's backend teams and engineering solutions for our suite of security products. His professional experience also covers five years of malware analysis and incident response. When Fernando isn't working, you might find him having good times with his family. Connect with Fernando on Twitter.

Reader Interactions

Comments

  1. Waqas

    October 28, 2016

    Wow crazy heads can find new ways.

  2. Sukanta Das

    October 31, 2016

    Dear Barbosa,
    Thanks for your important tips about SEO attack! Please keep up dating information.
    Thanks,
    S.Das
    CEO – SEO Company in India

  3. LZ

    November 8, 2016

    The question I have with this attack is why? I doubt Oakley or ray ban are part of this so what do the hacker have to benefit. This seems very odd to me. Can anyone shed light on what is the purpose of this attack?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.