Fake WordPress Installs and Sunglasses Spam

Spammers are constantly looking for ways make use of resources of hacked sites in their black hat SEO schemes. In most cases, spam injections and doorway script are quite hard to detect but in this example attackers didn’t worry much about that aspect.

The technique consists of abusing server resources (storage and database) by installing spammy WordPress sites (Oakley and Ray Ban spam in our case) in subdirectories of the original site and providing additional scripts to automate WordPress management (they probably don’t know about the XML-RPC API).

During our investigation, we identified common patterns between different infected websites with this type of injection.

• 1. The attackers added 2 directories in the root (./oakleyer and ./raybaner) with WordPress installations (v4.0.12)
• 2. Attackers took the database credentials from the original site’s wp-config.php, and used different table prefixes for the spammy WordPress sub-sites.
• 3. There were also four specific files that helped automate blog management in both ./oakleyer/wp-admin and ./raybaner/wp-admin:
  • etchk.php – verifies if there is a post in the database with a given title.
  • etpost.php – creates or updates spam posts in the database.
  • etreply.php – posts comments.
  • map.php – creates sitemaps for the SPAM sub-sites.

If you see unrelated search queries in Google Search Console or the [site:you-site-domain-here.com cheap] search returns pages that don’t belong to your site, it’s a strong indication of a SEO hack.

In this case, it was easy to notice the malicious directories in the site root. You still need to regularly log in and visually inspect the directory structure. A more reliable approach is integrity monitoring of your server file structure or whole security monitoring solutions.