According to PublicWWW, approx. 2156 sites are injected with “divHrefB” malicious SEO spam – many .de, .pl and .com domains affected.
Malicious entries:
Affected tables: wp_posts & wp_postmeta.
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<p style=(.*?)>((.|\n)*?)<\/a><\/p>', '') UPDATE wp_postmeta SET meta_value = REGEXP_REPLACE(meta_value, '<p style=(.*?)>((.|\n)*?)<\/a><\/p>', '')
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, '<div name="divHrefB"(.*?)>((.|\n)*?)</a></div>', '') UPDATE wp_postmeta SET meta_value = REGEXP_REPLACE(meta_value, '<div name="divHrefB"(.*?)>((.|\n)*?)</a></div>', '')
Hosting companies affected by the same SEO hack: Hosting Matters ( hmdnsgroup.com ), Hawk Host ( arandomserver.com ), 1blu AG, myLoc managed IT AG.
Sucuri classification:
Known Spam detected: spam-seo.spammy_keywords?9.2
Known javascript malware: spam-seo.hidden_content?109
Example of malicious domain name used in this SEO spam campaign: buyantibiotics24.net, with 4.8K backlinks.
Compromised sites with the same hack, hosted by Hosting Matters ( hmdnsgroup.com ): wildwoodnaturist.com, studentclustercomp.com, ontheglideslope.net, mariephilippe.ca, indianarecorders.org, danieldunlapphoto.com, understandingthemarket.com.
Hawk Host infected websites: rap-info.com, elephonespain.com, georgiadoom.com, elshmal.com.
Malicious URLs:
https://buykamagrausa.com/index.html%3Fp=47.html
https://buy-levitra-usa.com/where-can-i-buy-generic-levitra
https://buyantibiotics24.net/buy-amoxil-online.html
https://antibiotika-online.com/bactrim-rezeptfrei.html
https://buy-kamagra-oral-jellies.com
7/6/2023 update – Hosting Matters, Hawk Host & myLoc managed IT AG were notified about this issue, through their abuse channels. No reply so far.