Case Study: SEO Injection & Malware Discovery

Client: E-commerce company, Colombia, 2025

Engagement type: Incident response + web application penetration test

Executive Summary

A production WordPress e-commerce site was silently compromised with a PHP-based SEO spam injection. Malicious code served gambling and illegal content exclusively to Google search crawlers — invisible to human visitors — exploiting the client's established domain authority to rank illegal content in Google Search results.

Findings

• Critical: Malicious PHP backdoor injected into core WordPress files, conditionally serving spam HTML to Googlebot based on User-Agent
• Critical: Server-side SEO cloaking — human visitors saw normal site, Google crawlers saw gambling/drug content
• High: Unauthorized admin account created in WordPress database
• High: Outdated plugins with known RCE vulnerabilities used as initial access vector
• Medium: File permission misconfigurations allowing PHP execution in uploads directory

Methodology

Daniel Ordonez Arango identified the compromise by analyzing server logs, comparing raw HTTP responses with Googlebot User-Agent versus normal browsers, and performing a full WordPress file integrity check. The attack vector was traced to an outdated WooCommerce plugin with a known unauthenticated RCE vulnerability (CVSS 9.8).

Outcome

All malicious files identified and removed. Plugin ecosystem fully updated. File permission hardening applied. Client's domain authority was successfully restored in Google Search Console within 6 weeks of remediation. Full remediation report delivered with CVSS scores and prioritized action items.

← Back to portfolio