I’ve been monitoring mattheaton.com “wordpress.net.in goro spam injections” for this past few months. Noticeably, the blackhat spamming method is changing dramatically. For those who are still unaware of Wordpress Goro Spam please read my earlier post → Wordpress.net.in Spam injection& Gaming Bluehost & Hostmonster CEO’s Blog.

thinkingphp.org (PR6) & jensfrake.com (PR7) has been hijacked by “Wordpress Blackhat SEO Spammer” for this month. Both sites were running on WordPress 2.3.2.

By now the <div id=”goro”> signature has been replaced with “Inline CSS” wrapper.

Cloacking Check on Mattheaton.com

Normal Browser

32,246 characters - mattheaton-com-source.txt

Google bot

34,646 characters - mattheaton-com-googlebot-source.txt

Difference

2,400 characters

Cloacking Check on jensfrake.com & blog.jensfrake.com

Normal Browser

59,580 characters - blogjensfrakecom.txt

Google bot

59,699 characters - blogjensfrakecom-googlebot.txt

Difference

119 characters

While scanning jensfrake.com their server return 400-500 error, so we had to scan his (clone) subdomain blog.jensfrake.com instead of the main site

This time around, you wont see the spam on both of this website, all the spam links is position out of the client view-port (top -3337px, left -2227px).

another mathematical jokes, l33t.

<div style="left: -2227px; position: absolute; top: -3337px">

What’s new with Goro spam 2008

• WordPress <= 2.3.2 is vulnerable to this attack.
• Inject Spamlinks wrap with extra Inline CSS for cloacking
• Target High PR Sites → PR5 and above

Related Post

• Matt Heaton BlueHost HostMonster CEO’s Official Blog Hacked
• How to Removed Wordpress.net.in Spam Injection
• Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

External Links

• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities