A regular topic of discussion the past few months has been the basicpills link injection (a type of blackhat seo spam) on WordPress sites.
If you are not familiar with it, thousands of sites have been infected with basicpills which injects a ton of spammy pharma links all over compromised site (It infiltrates WordPress and attacks the wp-posts table).
So what’s that have to do with gogvo.com getting compromised? Well, in the past, the attackers would inject links directing to 247pharmaceutical.com or amoxilpharm.com, sometimes something else but similar. The seem to have changed tactics, now they are injecting links to an image directory, like:
<a href="http://qgas.co.uk/images/"> Buy Levitra Without Prescription</a>
If you click on any of the images, you are shown a pharma page:
In this specific case, all of sites are hosted at gogvo.com (in the 97.79.238.0/24 and 97.79.239.0/24 networks):
http://extremeaffiliatemarketing.com/images/
http://qgas.co.uk/images/
http://onenetcenter.com/images/
http://americanlandowners.com/images/
http://bikerchickz.ws/images/
http://24hourfsbo.com/images/
http://www.wichitabroadband.com/images/
http://marketing4profit.info/images/
http://affiliatemarketingsecretsvault.com/images/
http://jtc-enterprises.com/images/
http://bcbgdressdiscount.com/images/
http://bukitmerahyouth.org/images/
http://joanbeaulieu.com/images/
http://www.yaleaasa.org/images/
http://blogtorn.com/images/
http://igot-rippedoff.com/images/
http://www.aboutyourhealthyliving.com/images/
http://comunicar.org/images/
http://seeavision.com/images/
http://ebookcenters.com/images/
http://passionoflife.net/images/
http://autoresponder.mm-project.com/images/
http://arelysfranken.com/images/
http://beautifulsummermorning.com/images/
http://unitedretek.co.uk/images/
That’s just a few that we’ve found in the beginning of our analysis. As we started to check for more compromises, we found thousands of sites hosted at gogvo.com (in their gvo datacenter) that had spam in the images directory.
If you have a site hosted with gogvo.com, check it as soon as possible to make sure it is not hacked, and not being used by spammers.
If you have a WordPress site, also make sure it does not have those links injected in the database.
Leave a reply