← Back to portfolio

[ CASE STUDY ]

SEO Injection & Malware Discovery

Client: E-commerce company, Colombia, 2025 Service: Web Application Pentest Type: Incident response + black-box testing

Executive Summary

A production WordPress e-commerce site was silently compromised with a PHP-based SEO spam injection. Malicious code served gambling and illegal content exclusively to Google search crawlers — invisible to human visitors — exploiting the client's established domain authority to rank illegal content in Google Search results.

Findings

  • Critical: Malicious PHP backdoor injected into core WordPress files, conditionally serving spam HTML to Googlebot based on User-Agent
  • Critical: Server-side SEO cloaking — human visitors saw normal site, Google crawlers saw gambling/drug content
  • High: Unauthorized admin account created in WordPress database
  • High: Outdated plugins with known RCE vulnerabilities used as initial access vector
  • Medium: File permission misconfigurations allowing PHP execution in uploads directory

Methodology

Server log analysis, raw HTTP response comparison with Googlebot User-Agent versus normal browsers, and full WordPress file integrity check. The attack vector was traced to an outdated WooCommerce plugin with a known unauthenticated RCE vulnerability (CVSS 9.8).

Outcome

All malicious files identified and removed. Plugin ecosystem fully updated. File permission hardening applied. Client's domain authority was successfully restored in Google Search Console within 6 weeks of remediation. Full remediation report delivered with CVSS scores and prioritized action items.