Bizarre Malicious Hack: All outbound links noindex nofollow

Sucuri.com has a scan tool, and a plugin that can helps scan your files. https://blog.sucuri.net/2011/03/yet-another-wordpress-security-post-part-two.html

There’s also a plugin called WordPress Security Scan, which I would use to check for files that have been compromised.

How? Well server security for one. Change the server passwords and reupload, from the wordPress repository, every plugin and the whole WP core code. If you have a hacked file, it can transmit your passwords to the hacker.

Also check the very very very obvious. Did your user do something stupid like upload a plugin they don’t know what it does? Happens often ??

Thanks, Ipstenu. Unfortunately, I don’t know what that tool could’ve possibly found. It looks like a legitimate plugin.

We’ve gone through the code and can tell you that (as I mentioned) there were no other symptoms.

Also, we (my company) control the only user accounts with sufficient privileges to add plugins, so the client is out of the equation. We thought of this, naturally. But as I mentioned, the plugin that was installed cannot be found anyway — neither in the plugin repository here on www.ads-software.com nor anywhere else on the web. This is part of the evidence linking this to a malicious attack, IMHO.

If you’re 100% sure you’ve looked at every line on code in every file on your WP install and you can personally account for every piece of it, then it’s a server hack.

Now that said, it’s a little implausable to think that you actually could do what I just said. I mean, I bet even the core devs aren’t 100% familiar with everything. You’d want to run a DIFF between a known clean install, i.e. fresh off the WP repository, and your site, to say the least. So without knowing HOW you’ve “gone through the code” I cannot, and probably will not, be convinced you did it well enough to be 100% absolutely positive you checked everything. This is nothing personal! I just don’t want you to be hacked again!

Still. Assuming it IS a server hack, it’s easy to change server passwords (the FTP account), and it’s not time consuming to delete the WordPress files and copy up fresh ones (plugins, themes AND core, really, you want to do this – better safe than sorry!). As for the database… You’ll need to search that for anything ‘weird’ and I cannot be more specific :/ It’s a pain in the ass to look for the unknown.

Further reading:
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/
https://ottopress.com/2011/how-to-cope-with-a-hacked-site/

Thanks, Ipstenu. Hopefully your primer will be useful to those that read this. This most likely isn’t a server hack, but clearly a WP admin account hack.

Far more important, as far as I’m concerned, is to create awareness about this plugin. I saved the plugin file and wanted to make sure that there’s material out here for others to find in case it turns up elsewhere.

Thanks again for your input.

This most likely isn’t a server hack, but clearly a WP admin account hack.

I would not be willing to put money on that assumption. Just by my own experience, these are more often caused by insecure servers than insecure WP admins. Check your server logs for that date, though, and see if anything shows up hinky. Deleting the default admin account is always good, but there are other things you can do to secure your admin area (lock it down by IP etc etc – see https://codex.www.ads-software.com/Hardening_WordPress )