The Latest in IT Security

Links Injection on WordPress – Blackhat SEO Spam (basicpills) update

03
Jun
2011

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, and many other pharma-related domains (mostly located at 212.117.161.190 and 212.117.168.214).

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without  a prescription..

<a href="http://webemed. com/">Buy  Generic  Cialis Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

247pharmaceutical.com
acomplia-online-price.com
acomplia-online-price.net
amoxil-cheap.net
amoxilpharm.com
ampicillin-pharm.com
ampicillin-pharm.net
ampicillin-pills.com
ampicillinpills.com
ampicillin-pills.net
ampicillinpills.net
antibioticsordrer.com
antibiotics-shop.com
basicpills.com
buydiflucancheap.com
buyflagylcheap.com
buylasixcheap.com
buyLasixcheap.com
buylevaquincheap.com
buynolvadexcheap.com
camagracheap.com
camagracheap.net
camagra-pharm.com
camagra-pharm.net
cheappillsonline.net
cialis-online-price.com
cialis-online-price.net
cialis-pharm.com
cytotecbuyonline.com
dacompliasale.com
dlevitraonline.com
dzithromaxsbuy.com
e-pharmacy-online.com
generic-ed-pharmacy.com
getrxpills.com
great-levitra.com
healthcarexyz.com
kamagrasorder.com
levitra-online-price.net
onlineacompliacheap.com
onlineacompliacheap.net
onlinecialischeap.com
onlinecialischeap.net
onlinelevitracheap.com
onlinelevitracheap.net
onlineviagracheap.com
onlineviagracheap.net
peampicillinonline.com
rx-prices.com
sclomidbuy.com
sdoxycyclinebuy.com
softviagraonline.com
spropecia-online.com
spropecia-online.net
sviagrarbuy.com
viagra-online-price.com
viagra-online-price.net
vicialisabuy.com
webemed.com
westernunion-locations.com
women-health-shop.com
wpropecianonline.com

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve [email protected]
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email [email protected], or visit us over at Sucuri.

If you have any questions or comments, please let us know.

Related posts:
  1. Blackhat SPAM SEO From Joomlapoject.net – Targeting Joomla
  2. Mass Compromise of Sites at gogvo.com – SEO Spam
  3. Nikjju SQL injection update (now hgbyju. com/r.php)
  4. Another Fake WordPress Plugin – And Yet Another SPAM Infection!
  5. TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site

Tags:  
Written by Sucuri
0 Comments

Leave a reply


Categories

THURSDAY, APRIL 25, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments