It seems there are a lot of WordPress hacks happening recently.
Some WordPress blogs hosted by Network Solutions experienced a hack that made their websites redirect to a malware site. It specifically attacked the database by changing the site URL filed in the wp_options table. Although Network Solutions blamed WordPress, they ultimately announced it was a hosting problem, not WordPress.
Google Cloacking Hack
The Google Cloaking Hack’s notable symptom is in the search engine results for your site – instead of your title and description, the search results will show an alternate title with some prescription drug name. One example I found while looking for a particular article was “Clomid Prices â€“ We Always Offer Lowest Prices on Internet” instead of the actual title of the post. It’s also referenced as the WordPress Pharma Hack.
My WordPress Hack Experience
So far, I haven’t found an official name for the WordPress hack that affected several of my sites. The following is how I figured out there was a problem and what I did next.
About My Hacked Sites
My sites are all hosted on GoDaddy. One is in its own hosting account, and the other four were hosted under the same account. If the hack hits one site on a hosting account, the injection gets into the PHP files of all sites in that account. All of my sites were on either WordPress version 2.9 or 2.9.1 as I hadn’t quite gotten around to upgrading them.
- RSS was not working in WiseStamp signature, CommentLuv comment fields, or Yahoo Pipes.
- Stylesheets on admin panels were missing.
- Strange error in admin dashboard.
- Admin panel on mobile browser redirected to another page.
- Sites redirected to a free virus scanner search on Bing (in IE, sometimes Firefox)
What I Found in My Files
There were (thankfully) no modifications to my database, users, or .htaccess files. What I found included the following.
- Additional PHP file in root directory (on one site it was stranger_rosetta.php, and on another it was page_cersy.php).
- Encrypted PHP code on almost all .php files (about 5 out of hundreds were unaffected).
- View Page Source revealed all of the pages and RSS feed for my site had an additional call to a .js script right before the closing