Apparently the WordPress search redirect hack that I reported on the other day is fairly widespread. Moreover, it’s been taking down sites running WordPress installs as late as ver. 2.5.1, so it appears that upgrading won’t necessarily protect you.
(Here’s an example.)
While the nefarious code was, in my case, included in index.php, others are reporting that it may involve a corrupted image file set in the wp_options database table to act as a plugin.
Here are some related articles on the topic: link, strike>link.
And, finally, video on fixing the problem if you have the plugin version: link
It’s still unclear how the affected sites were compromised.
To find out if you’re affected:
Clear cookies, run a Google search for your site, and then click through. If you wind up at your site you’re probably okay. If it redirects to (or through) anyresults.net, then you’ve been hacked. If I were you, I’d try this a couple of times as the cookie that hides the hack seems to stick in some browsers.
*Note: It now appears that instances in which later WordPress versions (2.5+) were affected were likely due to the the site having been compromised prior to the upgrade.
Update: Be sure to read this post about getting rid of this thing. I just discovered that I had an extraneous user created at 00:00:00 on 0000-00-00. Unlike JD, however, I haven’t discovered any other database changes — perhaps because I was running an older version of WP (2.3.3) which was easier to take down (?).