SPAM Hack Targets WordPress Core Install Directories

3 minute read

Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like “Google Pharmacy” stores or other fake stores?

We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used to hide fake stores and spam doorways. In every case, the attacker is leveraging one of the core install directories – wp-includes.

google-pharma

Abusing WP-INCLUDES with SPAM

By default, every WordPress installation comes with 3 main directories: /wp-content, /wp-admin and /wp-includes. Generally, /wp-includes is reserved for generic code and is the heart of WordPress where all major core files are stored. It’s a folder that doesn’t need to be remotely accessed and should not contain any externally accessible or executable HTML or PHP files.

Unfortunately, that is not what we’re seeing. Thousands of WordPress sites seem to have been hacked, and in each case SPAM has been injected into their core directory wp-includes. We have found it’s not specific to Pharmaceuticals either, it includes things like “Payday spam” and “cheap bags”, “cheap watches” and many other forms of SPAM content.

This type of spam injection has 3 main characteristics:

  1. The SPAM pages are hidden inside a random directory inside wp-includes (eg: /wp-includes/finance/paydayloan or /wp-includes/werty/)
  2. The spam is conditional and often based on the referrer
  3. We’ve noticed that, in almost every instance, the websites are running outdated WordPress installs or cPanel – this is obviously conjecture

Here is a small list of 100 WordPress hacked websites with SPAM injected in their wp-includes directories. All of them are publicly accessible by doing some Google searches:

http://www.immunomix.com/ITIpress/wp-includes/finance/paydayloan/payday-loans-instant.html
http://microwaveamps.co.uk/wp-includes/js/thickbox/lib/loans/payday-loans-in-london-uk.html
http://www.scifidimensions.com/wp-includes/finance/cashadvance/cash-advance-loan-lenders.html
http://www.beereading.com/wp-includes/finance/cashadvance/cash-advance-loans.html
http://vastema.com/wp-includes/cheap-hermes-lindy-bags-on-sale.html
http://www.antibabypillerezeptfrei.net/wp-includes/js/crop/advancement/helpers/blrmalaysiabank.html
http://todayscliche.com/wp-includes/palco.html
http://www.ethosindia.com/wp-includes/mambo.php?p=55
http://www.turnerforte.com/blog/wp-includes/finance/cashadvance/cash-advance-credit.html
http://www.ednapletonblog.com/wp-includes/werty/replica-36596.html
http://www.pettycustomhomes.com/wp-includes/cheap-kids-nba-jerseys-3167596.html
http://www.pondproshop.com/reference/wp-includes/catalog/services/vybe/vybe-band-reviews.html
http://firefly-path.net/wp-includes/pomo/qwe/4/Buy-Balenciaga-High-Quality-Replica-Clutches.php
http://wolfgangcapellari.com/wp-includes/pomo/rolex-imitation.html
http://byphandyman.com.au/wp-includes/people/replica-bvlgari-fake-watches.html
http://rumbaytimbal.com/wp-includes/reviews/
http://www.preservinggoodstock.com/wp-includes/louis-vuitton-bags-5641302.html
http://www.domagojkovacic.com/wp-includes/wholesale-jerseys-from-china-7479567.html
http://maciejkot.pl/wp-includes/detect.html
http://allinseopack.com/wp-includes/js/plupload/oscar-leeser-bio-i12.com
http://www.marinavendrell.com/wp-includes/store/diet/solpria/solpria-cleanse-reviews.html
http://missouriche.org/wp-includes/louisvuitton19.html
http://vastema.com/wp-includes/replica-hermes-birkin-25-cm.html
http://www.conemund.org/eng/wp-includes/replica.php
http://cri-technologies.com/wp-includes/pomo/mkheaf.php?psdjvwei=uplink%20dwd
http://www.giser.net/wp-includes/headt.php
http://chicksdigme.com/wp-includes-old/vanilla-sky-lyrics-owl-city-i0.com
http://jewelrypictures.org/wp-includes/js/imgareaselect/ghd-machine-i5.com
http://www.jobshopsf.com/wp/wp-includes/finance/autoloan/car-loan.html
http://www.ebrice.com/wp-includes/shop/health/tagaway/buy-tag-away-discount-price.html
http://amr-nadim.net/wp-includes/fake-hermes-clic-clac-bracelet–5621.html
http://jesicaglot.com.ar/wp-includes/news/replica-watches_14626.html
http://funaki.ens-serve.net/wp-includes/images/news/black-evening-dresses.html
http://linkarbeid.no/wp-includes/replica-celine-tas.html
http://www.iwillstandupforyou.com/wp-includes/nfljerseys-19244-6847676.html
http://www.viparenda.com.ua/wp-includes/pomo/index/shorewatches.htm
http://www.lelieuunique.com/site/wp-includes/wp-about.php?p=124-chaussure-christian-louboutin-pas-cher.html
http://redtouch.com.mt/wp-includes/news/oris-aquis-depth-gauge-replica-watch-hands-on.html
http://www.stridesforstars.com/wp-includes/rewrite/list.html
http://perfectgroup.se/wp-includes/replica/rolex
http://www.cowalrugby.co.uk/wp-includes.php
http://janmccraylaw.com/wp-includes/watches/replica-32802.html
http://bekarty.pl/wp-includes/be/cartier-swiss-replica.html
http://conceitorio.com.br/home/wp-includes/indo/rolex-airking.html
http://www.liftstudios.ca/wp-includes/images/arrows/lib/chanel/wallets/Chanel-Wallet-On-a-Chain-Replica.php
http://mag.amazing-kids.org/wp-includes/js/crop/lib/vuitton/LV-Bags/Louis-Vuitton-Overnight-Bags-Replica.php
http://atelier.aencre.org/wp-includes/js/thickbox/lib/louboutin/model/christian-louboutin-crystal-daffodil-pumps-replica.php
http://feo.nusta.com.ua/wp-includes/images/news/buswatches.htm
http://cafetaxa.dk/wp-includes/replica-watches-uk/
http://www.socialned.nl/wp-includes/php/tag/michael-kors-outlet-washington
http://podcasttennis.free.fr/wordpress/wp-includes/js/tinymce/themes/advanced/ejezuli/inig/
http://www.baypointmarina.com/wp-includes/brand/ralph-lauren-sleepwear.html
http://nsldigest.org/wp-includes/css/wp-pointer/Buy-Good-Replica-Louis-Vuitton-Shoes_25510.html
http://supportambitiongroup.com/wp-includes/css/download-free-porn-no-sign-up.php
http://icmcc.org/wp-includes/js/jcrop/gearshifter.php?dqq=506
http://w3f.pl/wp-includes/pomo/silagra-50-price.html
http://www.fedusa.org.za/wp-includes/js/tinymce/wp-mce-help.php
http://www.styleslicker.com/wp-includes/js/buytadalafil/index.php?page=4
http://nclarkplaning.co.uk/blog/wp-includes/Cardiovascular/ventolin-mdi-buy.html
http://www.cadillacpizzapub.com/livemusic/wp-includes/finance/creditscore/annual-credit-score.html
http://www.nagaloka.org/wp-includes/filesd/1137a750e374cebd95e7bfb4c05c60a0
http://www.immunomix.com/ITIpress/wp-includes/finance/creditreport/credit-report-and-score.html
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Replica/Louis-Vuitton-Replica-AAA.php
http://yogagals.com/wp-includes/bottega-veneta.html
http://www.baypointmarina.com/wp-includes/brand/ralph-lauren-bicester-village.html
http://nrca-railroad.com/wp-includes/js/crop/_notes/vuitton/LV-Outlets/Louis-Vuitton-Outlet-Store-in-Kansas-City-Missouri-MO.php
http://www.madeleineking.co.uk/wp-includes/the-wine-house-lichfield-i10.com
http://www.mecalfab.com/mecalfab1/wp-includes/discountstore/kitchen/ninjamegablender/mega-ninja-blender.html
http://oisa.org/trl/wp-includes/onlineshop/naturalproducts/powerprecision/buy-power-precision-lean-muscle-formula.html
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Replica/Louis-Vuitton-Replica-AAA.php
http://adamriemer.me/wp-includes/user/index.php?p=netflix-rentals-netflix-dvd-movie
http://adcaustintech.com/javaegl/wp-includes/user/index.php?p=netflix-shares
http://todomejora.org/wp-includes/js/crop/lib/loans/payday-loans-without-checking-account-requirements.html
http://www.thekookmovie.com/wp-includes/php
http://www.moorefinefoods.com/wp-includes/heads7.html
http://www.businsure.com.au/wp-includes/jordanretroretails.com.html
http://www.airjordanpaschererfr.com/
http://stoleti.cz/wp-includes/images/index.php
http://www.chriswind.net/wp-includes/nets1121.html
http://icmcc.org/wp-includes/js/jcrop/gearshifter.php?dqq=196
http://www.demalagana.es/wp-includes/jordan11spacejambox.com.html
http://www.iarld.com/wp-includes/sageron.html
http://www.maintenantlagauche.com/wp-includes/class-wp-login.php
http://www.thesinbin.ca/wp-includes/images/jordansbred-us.com.html
http://www.plantingdandelions.com/wp-includes/x-jordan.html
http://www.martaortells.com/wordpress/wp-includes/images/jordansinfrared.com.html
http://missouriche.org/wp-includes/nikefree11.html
http://www.accqtrak.com/WordPress/wp-includes/Text/Diff/Renderer/Year57.php
http://urbancampout.com/wp-includes/glass.php
http://kortshoes.nl/wp-includes/The/fake-replica-watches.html
http://wolfgangcapellari.com/wp-includes/pomo/rolex-imitation.html
http://vastema.com/wp-includes/buy-hermes-lindy-handbags-outlet.html
http://maciejkot.pl/wp-includes/detect.html
http://nrca-railroad.com/wp-includes/js/crop/_notes/vuitton/LV-Buy/Buy-Louis-Vuitton-in-Warsaw-Poland.php
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Cheap/Cheap-Louis-Vuitton-Luggage-Knock-Off.php
http://dibach.com/wp-includes/Text/Lifestyle/dating-lord-elgin-watches.php
http://www.iwillstandupforyou.com/wp-includes/real-gucci-belt-for-men-cheap-8163353.html
http://www.missouriche.org/wp-includes/index.html
http://www.lonestarlandscaping.biz/wp-includes/store/diet/greencoffee/where-can-i-buy-green-coffee-bean.html
http://www.andersonmontana.com/test/wp-includes/Text/Diff/Renderer/Filter17.php
http://www.cerbone.com/wp-includes/store/exercise/contourabs/contour-abs-reviews.html
http://www.smkgear.com/_wp/wp-includes/discountstore/home/solaramerica/solar-america-home-power-station.html

This is a very small sample. A quick search on Google using inurl:/wp-includes viagra levitra cialis reveals more than 13,000 pages. As you rotate out the SPAM keywords that number increases dramatically. You quickly start painting a pretty dire picture as you run more scans:

WordPress Wp-includes SPAM

If you find yourself with similar symptoms, we recommend replacing your core install or seeking professional help.

If you are a Do it Yourself’er (DIY’er) then be sure to manually replace the core installs. Don’t just select update in your administrator panel because doing so won’t remove the file and while it may address the issue on the surface, it won’t be getting to the bottom of the issue.

Conditional Redirections

The term Conditional should not be new to most of our readers, but if you’re new we recommend diving into our older posts to better understand how it works. A good place to start is our most recent post on redirects that were occurring only on mobile devices and targeting Porn websites.

If you click on any of these URL’s, you will see doorways for different types of spam. Some are just like the Google Pharmacy screenshot and some with real complex fake stores. However, if you are coming from a Google search, referrer = google.com, they will redirect you to the final SPAM destination.

And what is the final spam destination? These are the ones we have been able to isolate to date:


http://www.greboxs.com/


http://www.mkbagsesale.com/


http://www.shoebuy.com


http://www.top-online-pills.com/

We don’t know if they are really malicious or being used by affiliate spam, but they appear to be the final destination for all these spam pages.

How are these WordPress sites getting hacked?

While we don’t have definitive proof as we do not have control of these environments, each instance we have analyzed always show one common denominator – out of date software. We cannot stress the importance of patching your software via upgrades and if you can’t, be sure to leverage tools that allow you to operate safely on the web with your out of date software. The last thing any website owner wants is to find out later that their brand and system resources have been used for nefarious acts.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...