• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Clever SEO Spam Injection

SEO Hacktool: Sitemap Generator

July 30, 2020Luke Leal

FacebookTwitterSubscribe

An XML sitemap is an important part of a website’s SEO and exists to help search engine crawlers index new URLs on your website. For example, if a site has a large number of pages that were recently updated and the owner wants Google to index their latest content, they could utilize a sitemap.xml containing all the URLs along with some metadata.

Unfortunately, blackhat SEO spammers are well aware of sitemap.xml’s abilities and use tools to assist in generating malicious sitemap files that direct search engine crawlers like Googlebot to prioritize their SEO spam content.

Indexing Unwanted Spam Content

This hacktool was found on a compromised website that had a SEO spam problem. Its only purpose is to generate a malicious sitemap.xml file so that the spam can be indexed.

...
$request_url = isset($_GET['url']) ? $_GET['url'] : '';
if (!empty($request_url))
{
    $sx_content .= "\n\t\t" . '<url>';
    $sx_content .= "\n\t\t\t" . '<loc>http://' . $_SERVER['SERVER_NAME'] . $url . '?' . $request_url . '</loc>';
    $sx_content .= "\n\t\t\t" . '<lastmod>' . date('Y-m-d') . '</lastmod>';
    $sx_content .= "\n\t\t\t" . '<changefreq>daily</changefreq>';
    $sx_content .= "\n\t\t\t" . '<priority>0.8</priority>';
    $sx_content .= "\n\t\t</url>";

}
else
{
    for ($j = 0;$j < 5000;$j++)
    {
        $str1 = random(8);
        $sx_content .= "\n\t\t" . '<url>';
        $sx_content .= "\n\t\t\t" . '<loc>http://' . $_SERVER['SERVER_NAME'] . $url . '?' . $str1 . ".html" . '</loc>';
        $sx_content .= "\n\t\t\t" . '<lastmod>' . date('Y-m-d') . '</lastmod>';
        $sx_content .= "\n\t\t\t" . '<changefreq>daily</changefreq>';
        $sx_content .= "\n\t\t\t" . '<priority>0.8</priority>';
        $sx_content .= "\n\t\t</url>";
    }
}
$sx_content .= "\n\t</urlset>";

$xr = fopen('sitemap_tea.xml', "w");
$xrr = fwrite($xr, $sx_content);

This PHP script found at ./shun-tea.php checks the incoming request to see whether it has a GET URL parameter with the name url. If this parameter exists in the incoming request and contains data, then its value is assigned to the $request_url variable.

If the $request_url variable exists, then the data provided in the GET request is used in the creation of the malicious sitemap. If absent, an eight-character string of text is instead randomly generated by the PHP and used for the $request_url variable.

Generating Spam URL Locations

The sitemap that is generated is named sitemap_tea.xml. This file contains the predefined sitemap XML text along with the SEO spam’s URL loc (location) that is randomly provided by the PHP script or through the attacker’s GET request.

The sitemap’s URL metadata also contains the current date as the lastmod time.

<?xml version="1.0" encoding="UTF-8"?>
    <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
        <url>
            <loc>hxxp://localhost/shun-tea.php?6jxwa9sf.html</loc>
            <lastmod>2020-06-01</lastmod>
            <changefreq>daily</changefreq>
            <priority>0.8</priority>
        </url>
        <url>
            <loc>hxxp://localhost/shun-tea.php?8egbvh6e.html</loc>
            <lastmod>2020-06-01</lastmod>
            <changefreq>daily</changefreq>
            <priority>0.8</priority>
        </url>
        <url>
            <loc>hxxp://localhost/shun-tea.php?bdhxzfdh.html</loc>
            <lastmod>2020-06-01</lastmod>
            <changefreq>daily</changefreq>
            <priority>0.8</priority>
        </url>
...

This file makes it incredibly simple for the attacker to generate massive amounts of outgoing links in their spam content to help boost SEO rankings to third-party sites.

Cleanup Instructions

Sites that have been infected with this hacktool can refer to the following steps to remove the infection.

  1. Find and remove the PHP file generating the sitemap*.xml with the SEO spam links.
  2. Check for any suspicious sitemaps in Google Webmasters.

After that, you can follow the mitigation steps found in our guide on how to clean a hacked website.

The best way to prevent unwanted (and off-topic) spam on your site is to mitigate risk in the first place. Practice strong password security, keep your components up to date, limit user access and permissions, and follow website security best practices.

If you need a hand removing SEO spam from a compromised website, we’re always happy to help.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Labs Note, Malware, SEO Spam

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.