site getting diverted from Google

Anybody else is using Mobile Detector plugin and has a php file in the cache dir ?

Hmmm, uddhava, by any chance did you use Installatron to automatically install WordPress? I just installed a fresh wordpress v3.2.1 using Installatron and when I try to install the podpress plugin, it redirects to the malicious domain you noted earlier.

btw, gobanana’s suggestion of fixing the .htaccess will solve your problem. jsut make sure you fix the .htaccess in the root of your site. Our second WordPress install was in a subdirectory so the .htaccess in there was clean but we were still being redirected.

I used Mobile Detector and got the same problem…

I contacted the guys from Mobile Detector (MD) to find out what is the problem. Apparently MD is using the timthumb.php file. That file was mentioned in the earlier thread that i posted :

https://www.ads-software.com/support/topic/admin-search-plugin-page-hackedexploited?replies=28

@ Gobanana

Steps to fix:

1. Delete .htaccess and create a new one
2. Delete sm3.php file
3. Delete any cache files (e.g. from wp_cache plugins or others)

This wil not help much unless you find the source of the problem. Otherwise they (the russians?) will use the same backdoor and put new hack files…

I think anybody who got hacked SHOULD also change all passwords, including the database passwords…

I also found out that the modification date of the .htaccess file has not been changed, but the hackers added their own code. Thats clever.!!

Hmmm, uddhava, by any chance did you use Installatron to automatically install WordPress? I just installed a fresh wordpress v3.2.1 using Installatron and when I try to install the podpress plugin, it redirects to the malicious domain you noted earlier.

I did not use installatron

I found this great post on this particular malware problem :

https://markmaunder.com/2011/08/23/breaking-google-starts-to-block-hacked-wordpress-blogs-as-attack-widens/

It really describes what the problem is and how to conquer it.

You can scan your wordpress install for any hacked files using these instructions :
https://markmaunder.com/2011/08/18/two-techniques-to-scan-your-wordpress-installation-and-check-if-youre-hacked/

Found another great post that has all the details:
https://blog.sucuri.net/2011/08/mass-infection-of-wordpress-sites-counter-wordpress-com.html

There is even a php script that you can run to scan your wordpress site for vulnerable files :

https://sucuri.net/tools/sucuri_wp_check.txt
I have listed it below:

<?php

/* Sucuri WordPress check - v1.0 (c) 2011 Sucuri.net
 *
 * This script will do a quick check on your WordPress installation looking for
 * plugins or themes that you should remove.
 */

@set_time_limit(0);
@ini_set("max_execution_time",0);
@set_time_limit(0);
@ignore_user_abort(TRUE);

function remove_dirall($dir)
{
    if(!$dh = @opendir($dir))
    {
        return;
    }

    while (false !== ($obj = readdir($dh)))
    {
        if($obj == '.' || $obj == '..')
        {
            continue;
        }

        if (!@unlink($dir . '/' . $obj))
        {
            remove_dirall($dir.'/'.$obj);
        }
    }

    closedir($dh);

    @rmdir($dir);
}

function getfile($myfile)
{
    $sigs = array('TimThumb script created by Ben Gillbanks',
                  'Uploadify v', '$allowedSites = array (');

    $fh = fopen($myfile, "r");
    if(!$fh)
    {
        return(0);
    }
    $buffer = fread($fh, 26096);
    foreach($sigs as $mysig)
    {
        if(strpos($buffer, $mysig) !== FALSE)
        {
            fclose($fh);
            return(1);
        }
    }

    fclose($fh);
    return(0);

}

function scanallfiles($dir)
{
    $issues = 0;
    $dh = opendir($dir);
    if(!$dh)
    {
        return(0);
    }

    if($dir == "./")
    {
        $dir = ".";
    }

    while (($myfile = readdir($dh)) !== false)
    {
        if($myfile == "." || $myfile == "..")
        {
            continue;
        }

        else if($myfile == "sucuri_wp_check.php")
        {
            continue;
        }

        else if($myfile == "wp-phpmyadmin" || $myfile == "portable-phpmyadmin" || $myfile == "adsense-now-redux"
               || $myfile == "adsense-now" || $myfile == "easy-adsenser")
        {
            echo "Warning: Found insecure (vulnerable) WordPress plugin: $dir/$myfile\n";
            $issues++;
        }

        if(strpos($myfile, ".php") !== FALSE)
        {
            if(strpos($dir, "/images/") !== FALSE)
            {
                echo "Warning: Found PHP file inside image directory $dir/$myfile\n";
                $issues++;
            }

            if(getfile($dir."/".$myfile))
            {
                echo "Warning: Found suspicious file (timthumb or uploadify): $dir/$myfile\n";
                $issues++;
            }

        }

        if(is_dir($dir."/".$myfile))
        {
            $ret = scanallfiles($dir."/".$myfile);
            $issues += $ret;
        }
    }
    closedir($dh);
    return($issues);
}

/* Scanning all files. */
$dir = "./";

echo "<html><title>Sucuri WP check</title><h2>Checking your WordPress install...</h2><h3>By <a href=\"https://sucuri.net\">Sucuri.net</a> - Questions?
Contact [email protected]</h3><pre>";

$issues = scanallfiles($dir);

echo "</pre>";

if($issues == 0)
{
    echo "<h3>No issues found. Completed.</h3>\n";
}
?>

I think the culprit file was the timthumb.php file inside the Mobile Detector plugin folder. You can update the timthumb.php file manually. Download it here :

https://timthumb.googlecode.com/svn/trunk/timthumb.php
(Save link as…)

I found more strange php files spread all over my plugin folders:
a.php and r57.php in the secure-wordpress plugin.
the secure-wordpress.php file was also overwritten.

And the fbadd thumbnail file was also compromised. Looks like the best solution is to delete the whole site and restore from backup

remove and reload everything but files with database info (unless you know what was in them and can recreate them).

What I do:
Let mobile devices, all browsers and users take care of themselves. Cache things using htaccess and don’t use seo plugins.

Use filezilla but use it rarely and delete all personal info each time. Use the file editor on the server instead. Don’t share desktops or files. Eliminate as many dynamic forms as possible. I got rid of users. Anyone can comment if they can get past Captcha, Askimet and htaccess rules: 99.9% of spam ends up in spam list and I delete it without looking at it to closely.