wordpress attack inserts movie links in content

One of my favorite clients’ sites running WordPress was recently attacked by a bug that inserts links to “movie downloads” and “DVDs” all over the place in her content with “display:hidden”

The site links to sites who are also under attack and when the bug is running correctly on those sites, the sites redirect the hits to the final destination,

which is http://www.zml.com/

I don’t know if zml.com knows this is happening.  I mean I suppose it’s possible that some unscrupulous SEO or Marketing guy promised them traffic and then resorted to this to get it.  I’m contacting them now to inform them of this uncool practice being committed on their behalf, and if they are not willing to cooperate on putting an end to it, I will have no choice but to give them some negative attention.

The process of extracting the bad links from the content was long and hard since the strings of code inserted were very inconsistent.

The following is a list of the sites being linked thru, which I assume are all victims of this malware.  If you own one of these sites, feel free to drop me a line and I will point you in the right direction as far as putting an end to this.

  • http://blog.segd.org
  • http://www.investorsunited.com
  • http://www.oca-gla.org
  • http://www.thunderstruck.org
  • http://subway.com
  • http://verdadeabsoluta.net
  • http://yourrnc.com
  • http://wordpressthemesbox.com
  • http://mp3db.org
  • http://webconsultingdc.com
  • http://turtlesurvival.org
  • http://turtleconservationfund.org
  • http://truenorthbrass.com
  • http://tarabooks.com
  • http://kolenalaila.com
  • http://techbostonacademy.org
  • http://pie-flex.com
  • http://www.philebrity.tv
  • http://www.landmarkwine.com
  • http://artsinbushwick.org
  • http://brettmartin.org
  • http://bsf.org
  • http://www.popandpolitics.com
  • http://womanhonorthyself.com
  • http://www.brainstorm9.com
  • http://webdev.entheosweb.com
  • http://www.topicus-healthcare.com
  • http://www.vfilings.com
  • http://constantinessword.com
  • http://www.dopiska.com
  • http://writingcenters.org
  • http://www.radisson.com
  • http://notjustaprettyface.org
  • http://www.arizonacriminaldefenseblog.com
  • http://www.sembrarpaz.com
  • http://www.apostilla.com
  • http://www.geektechs.net
  • http://johnquiggin.com
  • http://blog.pdma.org
  • http://bluesheaven.com

Message to ZML:

Hello,

I am a developer and recently one of my clients who is running WordPress for her personal website was attacked by some Malware that inserted thousands of links throughout her content. Those links resolve to your site, but via redirects thru other sites that I assume are also victims of the malware.

You look like you’ve built a pretty nice site here. And I’m writing to give you the chance to get on board with fixing this problem before I am forced to create some negative attention in the blogosphere and social media.

It doesn’t seem like you would want to be resposible for malware. But it also doesn’t seem like anyone would go through the trouble to make all these links back to you unless you were paying them. Perhaps you hired some marketing or SEO people and were not aware that they would be using these tactics? Please write back soon as I have very little patience for this kind of thing.

Thanks,

Andrew A. Peterson

<wp:tag><wp:tag_slug>%d0%b0%d0%b2%d1%82%d0%be%d1%80%d1%81%d0%ba%d0%b8%d0%b5-%d0%bf%d1%80%d0%be%d0%b3%d1%80%d0%b0%d0%bc%d0%bc%d1%8b</wp:tag_slug><wp:tag_name><![CDATA[????????? ?????????]]></wp:tag_name></wp:tag>
<wp:tag><wp:tag_slug>%d1%81%d0%b2%d0%be%d0%b1%d0%be%d0%b4%d0%bd%d1%8b%d0%b9-%d0%bc%d0%b8%d0%ba%d1%80%d0%be%d1%84%d0%be%d0%bd</wp:tag_slug><wp:tag_name><![CDATA[????????? ????????]]></wp:tag_name></wp:tag>

Some samples of weird code that the bot inserted:

<wp:tag><wp:tag_slug>%d0%b0%d0%b2%d1%82%d0%be%d1%80%d1%81%d0%ba%d0%b8%d0%b5-%d0%bf%d1%80%d0%be%d0%b3%d1%80%d0%b0%d0%bc%d0%bc%d1%8b</wp:tag_slug><wp:tag_name><![CDATA[????????? ?????????]]></wp:tag_name></wp:tag>

<wp:tag><wp:tag_slug>%d1%81%d0%b2%d0%be%d0%b1%d0%be%d0%b4%d0%bd%d1%8b%d0%b9-%d0%bc%d0%b8%d0%ba%d1%80%d0%be%d1%84%d0%be%d0%bd</wp:tag_slug><wp:tag_name><![CDATA[????????? ????????]]></wp:tag_name></wp:tag>