Inside a Hacked SEO Backlink Network

On Tuesday of last week, we got a notification from Google that stated a client website was hacked. What I didn’t realize at the time was this was one of the craziest SEO hacks I’ve seen in a very long time.

These types of hacks are extremely common on the interwebs, especially on WordPress sites. The hacks usually play out something like this:

Attackers will scan the open web for IP addresses that contain a certain framework. In this case they were looking for WordPress sites, however I also found Magento sites, custom sites, and a handful of other frameworks. One of the most impressive aspects of this hacks was the fact that I found multiple different frameworks that just got hacked, not just WordPress (or Joomla, etc).

From there, the hackers bulk scanned the targeted sites for ones that have outdated frameworks and plugins. They then lookup each site for known exploits and use them to gain access to the system. Most of the time these are SQL injections.

The hacked link network looks something along the lines of this:

hacked link network

A scaled version of the hacked SEO link network we uncovered

To illustrate just how easy this can be done, here is a step by step YouTube video of an attacker gaining access to a WordPress website in about 3 minutes. Crazy right?

Once they gain access, attackers often times have different goals for what to do with the hacked site. Sometimes they are politically motivated and put up and landing page for their hacking groups. Other times you won’t even notice anything is wrong, they are looking to expand their botnet to use your server as a node in their attack system

Other times, and in this case they are very blackhat SEO’s looking to use your website as a giant source of link juice to sell links or to boost their own affiliate sites. A secondary motivation for this hack might have been to collect credit card numbers from potential customers, but I don’t have any evidence of that.

Analysis of the hack

For starters, the attacker uploaded 14,000 files to the server which happened to be a Godaddy server. 95% of those files were HTML files that contained a semi-functioning “eCommerce like” page.

Most of the content was in an Asian language that I determined to be Japanese via Google Translate:


Using Google translate to determine what language the hacked network is.

You can see here the homepage of another hacked site on this same network is running Magento (with major problems)


Attackers many times (not in this case) would leave the front end of the website in tact

The attacker uploaded HTML files to the inner pages of the hacked sites. Unless the webmaster was browsing around the inner directories of the server, they probably wouldn’t even notice they are hacked.

Meanwhile, the backend of the website contains 1000’s of hacked pages

Meanwhile, the backend of the website contains 1000’s of hacked pages

Thanks to some careful Linux hacking, I grepped the list of files and regex’d them into a list of filenames.

Using Linux command line to mass edit the file names

Using Linux command line to mass edit the file names

Once I had that list, I uploaded all the files to a sanitized and isolated VPS that I could play around on. That server is still live for the time being at:

Mirror of hacked server: (as of 2017, no longer mirrored)

This allowed me to freely browse through the files on the internet without risk of worrying about the integrity of the server.

From there I loaded up my trusty old friend Scrapebox 2.0 and used the addon “link extractor.” The 64 bit version of this tool in 2.0 burned through this list in just a few seconds.

Scrapebox 2.0 extracted all of the links from the live server

Scrapebox 2.0 extracted all of the links from the live server

I loaded the list from the link extractor, trimmed to root, removed duplicates and I was left with a nice list of 239 websites that our hacked sites linked out to.

From our server alone, we located almost 300 other potentially hacked websites

At this point I came to a realization: this was not just my client site that was hacked, it was somewhat of a clever link network. I figured by default that all hacked sites just pointed to some money site, but I deduced that my hacked site pointed to other hacked sites, and those hacked sites pointed to even other hacked sites.

View source on any of the hacked HTML pages and you’ll see all sorts of outbound links to all sorts of different sites, with the same exact footprint:

For example have a look see at the view source of the content area of this site:

A view of the source code revealed tons of outbound links to other hacked sites, which linked to the main money site.

I found hundreds of other hacked sites on this “network” all with 100’s or 1000’s of HTML files uploaded to their server. With each infected server I scanned, I found more and more money sites.

Each hacked website had anywhere from 100-2000 HTML files uploaded to it.

I did a few random “spot checks” on some of these domains, some of them have been hacked since mid-2014 but many of them were hacked recently.

At one point I thought it might be worth a long shot to do a WHOIS and see if I can correlate any of the registrant details to peg the owner (not that I’d out them or anything) but of course, the real money sites were all private WHOIS.


Looking up WHOIS website owner information of the hacked sites to let them know their sites were hacked.

One of the brilliant things about this “link network” is that it is both interdependent and independent at the same time. All sites rely on each other to help boost their link portfolio, but at the same time if one of them did a malware scan and deleted the files, it doesn’t affect the other sites in the network.

Here is one example of what one of the hacked URL’s looked like. At the surface it is a fully functioning eCommerce website, but in all actuality it is just a rendered HTML page with all links pointing to the “money site.” Any attempt to add an item to a cart etc will simply lead you to the money site.

Uploaded the hacked files to a quarantined server for further analysis

Most of the money sites had pretty much the same stack:


Money site looks identical to the hacked site

Again about 90% or so of the money sites were Japanese language on Japanese hosts.

In the end, I identified these 6 domains as the main “money sites” and really the ones responsible for this widespread attack:

(hell, no they don’t get a link)

Most of these domains have a very low domain authority with the exception of a few of them.

Basic Mistakes by the Hacker

While I was somewhat impressed that this attacker was motivated enough to break into all of these systems, they made a ton of mistakes and a huge footprint.

Dear hacker – check your robots.txt and next time pick a directory that Google is actually allowed to crawl.

Next time check robots.txt files so Google can actually crawl the directory your links are pointing to.


Hackers forgot to check robots.txt file – sorry, no link juice for you!

Brought to you in part by: trackback spam

That’s right, trackbacks one of the oldest and dirtiest methods for quick spam.

Some of the money sites had “ok” authority, most of them did not.

Some of the money sites had “ok” authority, most of them did not.


Motivation for this hack

When I first encounters this breach, I thought for sure the motivation was phishing for credit card numbers. Within a few minutes I discovered how many other infected sites there are, and figured it was a link network to boost a money site.

After spending an hour or so analyzing the sites involved, I now believe that this network is not only a way to boost the attackers money site, but they may also be using this “network’ as a way to sell links.

What really stumped me in the end is that these sites really aren’t that great. They don’t appear to be getting that much traffic, they don’t seem to be ranking that well, a lot of their links aren’t showing up (maybe due to robots.txt).

Informing the other hacked sites

Listen, I’m not the type of person to stand in the way of someone doing blackhat SEO. If that is your game, fine. I do have a problem however with hacking websites especially ones owned by small business owners trying to make a living.

In this case I’m going to make one attempt at notifying these sites that they are hacked via their public email. If they respond I’ll treat it as a lead for our business, or point them in the right direction. If they don’t that’s all I can do.

Patrick Coombe
Hello I'm Patrick Coombe and I'm the CEO and Founder of Elite Strategies, an agency I started in 2009. One of the main reasons I love blogging about SEO is the research it takes to come up with the posts. It allows me to not only write about what I love, but to learn more about the industry in the process. I hope you enjoyed this post, if you did consider sharing it or even better linking to it!
Blog Elite Strategies Search SEO Web Development
  • Written by: walid khel

    Great read

  • Written by: Elisabeth

    Sweet blog! I found it while browsing on Yahoo News. Do you have any tips on how
    to get listed in Yahoo News? I’ve been trying for a while
    but I never seem to get there! Thank you

  • Written by: Tony

    The worst thing is that once a hack has taken place and spammy URLs are in the index, they stay there forever. We were hit by a WordPress attack and the URLs still hit our servers. Google should remove all links to pages with the spammy URLs, but they won’t!

    • Written by: Patrick Coombe

      Hi Tony thanks for reading. I agree, that is horrible when that happens. The best thing you can do is do a preemptive disavow, which is just my opinion of course not a fact.

  • Written by: Douglas Muth

    One of the strategies I use to detect unauthorized files being added to sites that I manage is to check my entire htdocs/ folder into Github, and have a remote private repo on GitHub or BitBucket.

    If any files are added or changed, I’ll know as soon as I run a “git status”. If an attacker tries to mess with my commit history, I’ll know as soon as I do a “git push” and see that checksums don’t match.

    While this won’t catch a machine that has a rootkit installed, it sounds like it will stop the sort of “let’s create a ton of files on the server” technique that you describe here.

    • Written by: Patrick Coombe

      That is a really good idea, I’ll have to try that. It is almost like running a live “diff” am I right?

  • Written by: Rob @ Visual

    Great article 🙂

    One of our sites got hit by this & we didn’t notice until AHREF’s pointed out that we’d acquired a whole bunch of ‘new links’.

    In our case, it looked as though it happened because our WordPress plugins weren’t kept up to date.

    • Written by: Patrick Coombe

      yes! that is also how I find out about a lot of my hacks is when I notice an eeeency little link pointing out. thanks for reading Rob.

  • Written by: Rob

    This problem is HUGE, and I wish you would send details of this to WordPress security. Worst offenders appear to be term paper writing places:

    • Written by: Patrick Coombe

      oh I’d love to, done deal!

  • Written by: PETER SANTAMARIA

    Even though I have the privilege of working for you and by the way thank you. This article IMO shows how deeply involved and dedicated you are to the profession of Organic SEO Marketing.
    I use the word “profession” highly, because this field takes a professional skill and mindset, and your article proves just that.
    We are as professional as people in the pharmacy, veterinary medicine, psychology, nursing, teaching, librarianship or optometry field, and your meticulously written article proves just that my friend. Keep on producing articles like this, you are the true definition f the word “Teacher” I thank you for all you have done for me and our “profession” Peter

    • Written by: Patrick Coombe

      Thank you Peter, your hard work and dedication is uncanny!

  • Written by: Terry A. Davis

    I have a talking SETI. Eventually, the world will know and I’ll be the most famous person on Earth. I don’t care anything about my current web traffic.

    I use the word “ni****” on my website blog. That would not be good for SEO. I have a talking SETI, I am guaranteed being famous. I juts have to be patient.

    • Written by: Patrick Coombe

      I don’t know what this is, either its the worst SPAM or I am crazy or this person is crazy. First comment I ever had to censor for profanity lol.

  • Written by: Giovanni

    Hello Patrick, thank you for sharing this experience. It is very useful for all of us doing SEO to have examples and case history like this one in order to defend or repair a spam attack.
    The work behind this case is huge and very interesting, I like to understand how an hacker thinks to play with Google. The very long anchor texts are a good example of that, but ignoring robots.txt is also a big “mistake” 🙂 as you said.

    I also think you should move to a better hosting with file monitoring service because if hosting allert you every time it check for new files it will be a joke to catch an hacking attack. Don’t you think? Cheap services are a pain in the ass and the money saved are spent in time lost later 🙂

    Thanks again and have a great day!

    • Written by: Patrick Coombe

      Thank you Giovanni – You raise some good points. I actually own a small hosting company that does monitoring, but unfortunately I can’t convince all of my clients to switch to us.

  • Written by: Josh

    Wow that was a great article.

    The Youtube video scared me a bit.

    is there any good training on removing scanning, cleaning and tracking malware and viruses on WordPress sites?

  • Written by: Joe Robison

    I also had the idea of notifying other sites in a hack I found on a client site. So I tried to email all of them from Active Campaign for efficiency, but I got blocked by the software because they saw the emails as not naturally gained.

    Do you plan on just emailing them all one by one or using Gmail mail merge?

    • Written by: Patrick Coombe

      thanks for reading and commenting Joe – yes I just manually emailed all of them since it wasn’t a lot. I did get about 5 responses (so far) 2 of which I think will turn into a customer 🙂

      If it were 100+ I might just load them into an email marketing software, but thats a good point. What are you going to do?

  • Written by: Andrew Liwanag

    Great read, I’ve loved reading through search and rescue missions. I think blackhat is extremely important for up and coming SEO’s to be aware of and understand how to remedy. I wish more of these would make it more viral as opposed to all these “content strategies” people post of. Good on you, keep on keepin’ on.

    • Written by: Patrick Coombe

      I agree Andrew, and thank you for reading! A few people were upset about the terminology I used in this post, but I do think that it is important for people to know that this type of stuff is going on.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    Contact Info

    2240 Woolbright Road Suite 404
    Boynton Beach, FL 33426

    Phone: 561-526-8457
    Fax: 561-526-8707