Posted in

How cybercriminals use WordPress to run blackhat SEO casino spam

by Rakesh0

Cybercriminals are increasingly targeting WordPress sites (including Hostinger-hosted installs) to inject online-casino spam and artificially boost search engine rankings. This malicious campaign is now one of the most common types of SEO spam: attackers inject links and cloaked landing pages, hijack legitimate pages, and use multi-layer persistence so a single cleanup often fails.

Below I summarize the attack techniques Sucuri researchers documented, explain how to detect them, and give step-by-step cleanup and hardening actions you can apply to your WordPress site.

What attackers are doing (brief)

  • Primary payloads promote online casinos—content tailored to international markets where gambling is regulated or restricted.
  • Hijacked pages / duplicate directories: attackers create bogus directories with the same names as legitimate pages. When a visitor or search engine requests the page, the server resolves the bogus directory and serves the spam landing page (taking advantage of how Apache/Nginx resolve filesystem paths before WordPress rewrites).
  • Multi-layer persistence: malicious code is planted in theme files (e.g., functions.php), plugin files, and — more stealthily — inside the WordPress database as option values with deceptive names (for example: wp_footers_logic).
  • Cloaking & dynamic fetching: the payload can be base64-encoded in the DB, decoded and executed with eval(); if eval() is unavailable the malware can write to cache files such as wp-content/cache/style.dat then monitor requests for specific URL patterns and fetch spam content from attacker domains (e.g., browsec[.]xyz).
  • Reinfection loops: reinfection code searches for markers and, if missing, re-appends the payload to functions.php and to the primary file of the first active plugin.

Signs your site might be infected

  • Unexpected redirects to casino or gambling sites for certain URLs.
  • Duplicate folders or files with suspicious names at the root or inside theme/plugin directories.
  • Strange options in the database (odd option names like wp_footers_logic) containing base64 text.
  • Unusual eval() calls or base64 decoding code inside functions.php or plugin files.
  • New cache files such as wp-content/cache/style.dat that you did not create.
  • Search results showing spammy pages for your domain.
  • Periodic reappearance of spam after cleanup.

Immediate triage — what to do first (do these in order)

  1. Take a forensic snapshot / backup. Make a full file + database backup (download off the server) before making changes. This preserves evidence for later inspection.
  2. Put the site into maintenance mode or temporarily disable public access (if possible) to stop visitors from being redirected.
  3. Change all access credentials: WordPress admin accounts, FTP/SFTP, Hostinger panel, database passwords. Force reset admin users.
  4. Notify your host (Hostinger): they can help with server-level logs and may offer cleanup support.
  5. Scan with a reputable scanner: use Sucuri SiteCheck, malware scanners (Wordfence, MalCare), and your host’s tools to get an initial view.

Manual detection checklist (quick commands and queries)

Work on a copy, not the live production files, unless you must. Always backup.

Search for suspicious code in files:

# look for eval, base64_decode, or suspicious option names
grep -R –line-number -E “eval\(|base64_decode|wp_footers_logic|browsec” .

Search for base64 blobs:

grep -R –line-number -E “[A-Za-z0-9+/]{100,}={0,2}” .

Check wp_options for odd option names:

SELECT option_id, option_name, LENGTH(option_value) AS val_len
FROM wp_options
WHERE option_name LIKE ‘%footer%’ OR option_name LIKE ‘%footers%’ OR option_value LIKE ‘%browsec%’ OR option_value LIKE ‘%base64%’;

Look for unexpected cache files:

ls -la wp-content/cache/

Examine functions.php and plugin main files for appended code at the bottom.

How to remove the infection (step-by-step)

  1. Put the site in maintenance/offline.
  2. Restore from a known-clean backup if you have one that predates the infection. This is the fastest, safest option if available.
  3. If no clean backup exists, follow the manual cleanup steps:A. Files
    • Inspect and clean or replace functions.php in the active theme. Remove any obfuscated code, base64 decoding, or eval() calls.
    • Replace suspect plugin/theme files with fresh copies from official repositories.
    • Remove any unfamiliar duplicate directories at document root (but be cautious — if you’re unsure, move suspicious directories to a quarantine folder rather than deleting immediately).
    • Remove cache files the malware created (e.g., wp-content/cache/style.dat).
    B. Database
    • Search wp_options for suspicious option names (wp_footers_logic or other odd entries). Export those option rows, review, and delete or nullify suspicious option values.
    • Example SQL to find suspicious options:

SELECT option_name, LEFT(option_value,200) FROM wp_options WHERE option_name LIKE ‘%foot%’ OR option_value LIKE ‘%eval(%’ OR option_value LIKE ‘%base64_%’;

    • Remove entries only after backing them up.
    C. Plugins
    • Deactivate all plugins, then reactivate them one-by-one after verification. Focus on the first active plugin—attackers often plant code there.
    • Replace plugin files with fresh originals from WordPress.org or vendor sources.
    D. Hard-coded reinfection code
    • Look for scripts that periodically reinsert payloads. Search for patterns like file_put_contents, fopen, eval, base64_decode, or unusual preg_replace uses.
    • Remove or replace those files and the functions they insert.
    E. Clean site URLs and redirects
    • Check .htaccess and Nginx config for rewrite rules the attacker may have added.
    • Remove unexpected rewrite rules and verify WordPress permalinks.
  2. Change all passwords again after cleanup (WP admin, FTP, DB, host panel).
  3. Re-scan the site after cleanup. Repeat cleanup if anything remains.

Hardening — prevent reinfection

  • Keep WordPress, themes, and plugins updated.
  • Remove unused themes/plugins (attackers exploit abandoned code).
  • Limit file permissions (avoid 777; set correct ownership).
  • Use strong admin credentials and 2FA for all admin users.
  • Install a Web Application Firewall (WAF) — Sucuri, Cloudflare, or Hostinger’s recommended WAF.
  • Use file integrity monitoring and alerts (plugins or server-side tools).
  • Disable eval() if not required (but test thoroughly; eval() is used by some legitimate plugins).
  • Harden the database: restrict direct access, use unique table prefixes, monitor wp_options.
  • Regular backups: automated, versioned, stored off-server.
  • Server configuration: ensure Apache/Nginx handles filesystem path resolution securely and your host applies kernel/OS security patches.

Indicators of Compromise (IoCs) to search for quickly

  • Option names like wp_footers_logic or other suspicious option rows.
  • Files containing base64_decode(…) followed by eval(…).
  • wp-content/cache/style.dat or similarly named cache files containing encoded payloads.
  • Redirects to domains such as browsec[.]xyz (or other attacker-controlled domains).
  • Duplicate directories named identically to legitimate pages.

Example cleanup commands (illustrative)

# Backup current site
tar -czf site-backup-$(date +%F).tar.gz /path/to/wordpress
mysqldump -u dbuser -p dbname > db-backup-$(date +%F).sql

# Search for suspicious code
grep -R –line-number -E “eval\(|base64_decode|wp_footers_logic|file_put_contents|browsec” /path/to/wordpress

# Find suspicious options in DB (use MySQL client)
mysql -u dbuser -p -D dbname -e “SELECT option_name, LEFT(option_value,200) FROM wp_options WHERE option_name LIKE ‘%footer%’ OR option_value LIKE ‘%base64%’;”

When to call a professional

If you see repeated reinfections after cleanup, don’t have a clean backup, or evidence of broader compromise (new admin users, outbound connections to C2 domains), engage a professional incident response firm or a specialized WordPress cleanup service (Sucuri, Wordfence cleanup, or your host’s security team). They can provide deeper forensics and ensure the attacker is fully evicted.

Summary

  • Attackers are using database-stored, base64-encoded payloads and file-level hooks to run online casino SEO spam on compromised WordPress sites.
  • The payload is often executed with eval() from theme/plugin files or via cache fallback files like wp-content/cache/style.dat.
  • Clean up requires checking theme/plugin files and the DB (wp_options) for deceptive option names, removing duplicate directories, and eliminating reinfection code.
  • After cleanup, harden the site: update software, remove unused plugins/themes, enable backups, use a WAF, and monitor file integrity.
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *