WordPress with Timthumb hacked make black hat SEO in Google Images • WordPress Help

According to the blog of Unmask Parasites over 4,000 hacked WordPress sites would be flooding images used to position fake antivirus sites.

What these undesirables do Black Hat SEO using the exploit in Timthumb of which I warned, is the following …

the following URL pattern: hxxp: ///? [a-f] {3} =, where [a-f] {3} is a combination of three letters from "a" to "f" and they are combinations of keywords separated by scripts that contain or images of normal words or images, for example:

hxxp: //example.com/? fef = images-of-mitzi-mueller-wrestling
hxxp: //example.net/ ? cda = image-tropical-fruits-index

For this purpose they use backdoor pages that they enter in normal templates of WordPress sites, where [19] 459011] the original content is replaced with about twenty thumbnails and small blocks of text relative to the keywords to be positioned .

The images are not linked from external sites but link to "full size" images with URLs how are you:

for example:

At the top of the images shows an entry – the domain name of the hacked site. In this way the undesirable ones make it seem that the images belong to the site they have hacked, as if it were their own content, not images inserted or stolen. At the same time, in this way, it is easier to identify the poisoned image in the search results.

The image files contain the following string inside: <CREATOR: gd- jpeg v1.0 (using IJG JPEG v62), quality = 100 . This means that they were created using the GD graphics library

It seems that hackers use a PHP script to take well-positioned images (in Google Images search results), resize them to the size of miniature (a width of between 200 and 300 pixels) and full size (some at random size, in some cases even to sizes greater than the original, to position them better as they are larger in pixels) and finally add the seal of the domain name hacked


At the bottom of the HTML code of the backdoor pages you can see comments like these:

The temporary brand and the keywords . This way you can easily see when the back door was created.


The backdoor pages have good positions in some keywords in both Google web search and Image search (especially when you search for the exact phrase ). However, malicious redirects occur only when you click on the search result in Google Images which proves that the ultimate goal is to flood Google Images of these images, that is, a pure campaign and hard of black-hat SEO .

The redirection has two stages . In the first one the redirection goes to an intermediate server (TDS) that then redirects to some web pages that launch a fake antivirus tool (there are two different variations).

This is a real redirect string: