The Latest in IT Security

Mass Compromise of Sites at gogvo.com – SEO Spam

05
Aug
2011


A regular topic of discussion the past few months has been the basicpills link injection (a type of blackhat seo spam) on WordPress sites.

If you are not familiar with it, thousands of sites have been infected with basicpills which injects a ton of spammy pharma links all over compromised site (It infiltrates WordPress and attacks the wp-posts table).

So what’s that have to do with gogvo.com getting compromised? Well, in the past, the attackers would inject links directing to 247pharmaceutical.com or amoxilpharm.com, sometimes something else but similar. The seem to have changed tactics, now they are injecting links to an image directory, like:

<a href="http://qgas.co.uk/images/"> Buy Levitra Without Prescription</a>

If you click on any of the images, you are shown a pharma page:

In this specific case, all of sites are hosted at gogvo.com (in the 97.79.238.0/24 and 97.79.239.0/24 networks):

http://extremeaffiliatemarketing.com/images/

http://qgas.co.uk/images/

http://onenetcenter.com/images/

http://americanlandowners.com/images/

http://bikerchickz.ws/images/

http://24hourfsbo.com/images/

http://www.wichitabroadband.com/images/

http://marketing4profit.info/images/

http://affiliatemarketingsecretsvault.com/images/

http://jtc-enterprises.com/images/

http://bcbgdressdiscount.com/images/

http://bukitmerahyouth.org/images/

http://joanbeaulieu.com/images/

http://www.yaleaasa.org/images/

http://blogtorn.com/images/

http://igot-rippedoff.com/images/

http://www.aboutyourhealthyliving.com/images/

http://comunicar.org/images/

http://seeavision.com/images/

http://ebookcenters.com/images/

http://passionoflife.net/images/

http://autoresponder.mm-project.com/images/

http://arelysfranken.com/images/

http://beautifulsummermorning.com/images/

http://unitedretek.co.uk/images/

That’s just a few that we’ve found in the beginning of our analysis. As we started to check for more compromises, we found thousands of sites hosted at gogvo.com (in their gvo datacenter) that had spam in the images directory.

If you have a site hosted with gogvo.com, check it as soon as possible to make sure it is not hacked, and not being used by spammers.

If you have a WordPress site, also make sure it does not have those links injected in the database.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments