wordpress attack inserts movie links in content

One of my favorite clients’ sites running WordPress was recently attacked by a bug that inserts links to “movie downloads” and “DVDs” all over the place in her content with “display:hidden”

The site links to sites who are also under attack and when the bug is running correctly on those sites, the sites redirect the hits to the final destination,

which is http://www.zml.com/

I don’t know if zml.com knows this is happening.  I mean I suppose it’s possible that some unscrupulous SEO or Marketing guy promised them traffic and then resorted to this to get it.  I’m contacting them now to inform them of this uncool practice being committed on their behalf, and if they are not willing to cooperate on putting an end to it, I will have no choice but to give them some negative attention.

The process of extracting the bad links from the content was long and hard since the strings of code inserted were very inconsistent.

The following is a list of the sites being linked thru, which I assume are all victims of this malware.  If you own one of these sites, feel free to drop me a line and I will point you in the right direction as far as putting an end to this.

  • http://blog.segd.org
  • http://www.investorsunited.com
  • http://www.oca-gla.org
  • http://www.thunderstruck.org
  • http://subway.com
  • http://verdadeabsoluta.net
  • http://yourrnc.com
  • http://wordpressthemesbox.com
  • http://mp3db.org
  • http://webconsultingdc.com
  • http://turtlesurvival.org
  • http://turtleconservationfund.org
  • http://truenorthbrass.com
  • http://tarabooks.com
  • http://kolenalaila.com
  • http://techbostonacademy.org
  • http://pie-flex.com
  • http://www.philebrity.tv
  • http://www.landmarkwine.com
  • http://artsinbushwick.org
  • http://brettmartin.org
  • http://bsf.org
  • http://www.popandpolitics.com
  • http://womanhonorthyself.com
  • http://www.brainstorm9.com
  • http://webdev.entheosweb.com
  • http://www.topicus-healthcare.com
  • http://www.vfilings.com
  • http://constantinessword.com
  • http://www.dopiska.com
  • http://writingcenters.org
  • http://www.radisson.com
  • http://notjustaprettyface.org
  • http://www.arizonacriminaldefenseblog.com
  • http://www.sembrarpaz.com
  • http://www.apostilla.com
  • http://www.geektechs.net
  • http://johnquiggin.com
  • http://blog.pdma.org
  • http://bluesheaven.com

Message to ZML:


I am a developer and recently one of my clients who is running WordPress for her personal website was attacked by some Malware that inserted thousands of links throughout her content. Those links resolve to your site, but via redirects thru other sites that I assume are also victims of the malware.

You look like you’ve built a pretty nice site here. And I’m writing to give you the chance to get on board with fixing this problem before I am forced to create some negative attention in the blogosphere and social media.

It doesn’t seem like you would want to be resposible for malware. But it also doesn’t seem like anyone would go through the trouble to make all these links back to you unless you were paying them. Perhaps you hired some marketing or SEO people and were not aware that they would be using these tactics? Please write back soon as I have very little patience for this kind of thing.


Andrew A. Peterson

<wp:tag><wp:tag_slug>%d0%b0%d0%b2%d1%82%d0%be%d1%80%d1%81%d0%ba%d0%b8%d0%b5-%d0%bf%d1%80%d0%be%d0%b3%d1%80%d0%b0%d0%bc%d0%bc%d1%8b</wp:tag_slug><wp:tag_name><![CDATA[????????? ?????????]]></wp:tag_name></wp:tag>
<wp:tag><wp:tag_slug>%d1%81%d0%b2%d0%be%d0%b1%d0%be%d0%b4%d0%bd%d1%8b%d0%b9-%d0%bc%d0%b8%d0%ba%d1%80%d0%be%d1%84%d0%be%d0%bd</wp:tag_slug><wp:tag_name><![CDATA[????????? ????????]]></wp:tag_name></wp:tag>

Some samples of weird code that the bot inserted:

<wp:tag><wp:tag_slug>%d0%b0%d0%b2%d1%82%d0%be%d1%80%d1%81%d0%ba%d0%b8%d0%b5-%d0%bf%d1%80%d0%be%d0%b3%d1%80%d0%b0%d0%bc%d0%bc%d1%8b</wp:tag_slug><wp:tag_name><![CDATA[????????? ?????????]]></wp:tag_name></wp:tag>

<wp:tag><wp:tag_slug>%d1%81%d0%b2%d0%be%d0%b1%d0%be%d0%b4%d0%bd%d1%8b%d0%b9-%d0%bc%d0%b8%d0%ba%d1%80%d0%be%d1%84%d0%be%d0%bd</wp:tag_slug><wp:tag_name><![CDATA[????????? ????????]]></wp:tag_name></wp:tag>


If you found this information helpful, please consider making a donation. No amount is too small.

Bitcoin Donation Address:

6 Replies to “wordpress attack inserts movie links in content”

  1. Hi

    I have a Joomla based client that this is happening to, with around 600 links being placed at the bottom of any file that is index.html or index.php. This keeps happening most evenings and is breaking the site each time.

    I followed these links through (by looking at code, not by clicking on them) and ended up at ZML.com. After researching ZML.com, they seem like the kind of company that know full well what’s going on and won’t be stopping unless someone takes action.

    Whatever I do, I can’t seem to stop these links from being added. Do you have any advice on how to stop this? How are they getting in? I’ve tried the obvious things and changed the host ftp password, but they got back in after a few days. The only thing I can think of is that there is some malicious code somewhere on the site that is being triggered by a user action.

    Any help would be much appreciated.

  2. Actually I’ve just noticed that the link to ZML.com appears to be an affiliate link, so ZML.com themselves might not be to blame for this, although I would still stay away from them.

  3. Steve,
    Very perceptive.
    Yes, the same with my client, ZML and others weren’t the direct link, but a link to a 3rd site then is also hacked to redirect to ZML etc.

    I’m emailing you privately and we can talk and perhaps I can help you, at least as far as finding the malware and getting rid of it.

  4. Hi Andrew
    Thanks for the reply.
    I’ve only just seen your email – it went into my junk folder for some reason. I’ll reply if this problem doesn’t get solved soon.

    I discovered that it was a server wide breach, as all the other PHP/HTML based sites on the same shared host server were also infected with these links. Unfortunately I have little control over the shared host (apart from ftp/cpanel access to my client’s site) and, due to various ridiculous complications that I won’t go into, the web hosts won’t give me any support.

    As a result I’m in the process of moving away from this particular host, which was the plan all along anyway. Hopefully this will resolve the issue, although I have a fair amount of file cleaning to do – I’ve already removed a nasty SSH shell access script by using virus removal in cPanel.

    So, if anyone else is reading this with the same problem on shared hosting, make sure you check other websites on the same IP (using a reverse DNS lookup) and find out if the whole server has been affected. If so, contact your web hosts for support immediately.

  5. Steve,
    Thanks for responding.

    It’s definitely my experience that certain hosting providers are more prone to attacks than others. I’ve recently seen a lot of trouble at Network Solutions. Prior to that, I have seen a lot of issues with shared hosting at IX Web Hosting. My favorite hosting provider is currently BlueHost. They have top-notch support staff.

    After cleaning files:

    double and triple check file permissions. Should be 755 and 644 (for folders and files respectively).
    If you can avoid using the default database table prefix, change that (in wordpresss, it’s wp_)
    If there’s a default username, don’t use it (in wordpress, the first user is named admin)
    Change all passwords. No dictionary words, at least one upper and one lower case letter. At least one number.

    Just a few other post-attack chores.

  6. Thanks Andrew
    It’s so time consuming!
    In my case, Joomla provide a pretty good post hack security checklist also …

    In my limited experience of webhosts other than my main one (I personally use HeartInterent in the UK and have not had any problems with them) I have found that hosts who put too much security on shared hosting are shooting themselves in the foot because users change all their file permissions to 777 just to get their site working properly without knowing the consequences of doing so.
    The good hosts are the ones that find a good balance between security and allowing their users a little freedom to enable their chosen CMS/scripts to function without too much hassle.

Leave a Reply

Your email address will not be published. Required fields are marked *