1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:27 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Site hacked - but can't see how

Links from search results redirect to spam page, but entering URL doesn'

         

oolong

6:07 pm on Feb 4, 2012 (gmt 0)

10+ Year Member



The site I've been working on, International Times [internationaltimes.it], has evidently been compromised - if you google "site:internationaltimes.it viagra" you'll see there are many pages that obviously shouldn't be there.

However, everything seems normal if you go to the front page and navigate from there. In fact, even copying one of the links from the search results and pasting it into the address bar doesn't take you to the spam drug-selling site, though following the same link from search results will. I don't know quite how that works.

In fact, I don't know how any of this works! When I've seen sites compromised before, I've always been able to spot something dodgy in the php files (and sometimes also elsewhere) but in this case, all the spam links are actually to archive files which have since moved into their own archive directory, so in principle they should be showing Nothing Found (well, they SHOULD be redirecting to the new location, actually, but I haven't done that - that's a question for another thread)... I can't spot anything out of place either in the archive code or the WordPress code on the new site, or in .htaccess for that matter.

So at what level could this hack have occurred? What am I missing?

Many thanks for any help...

rocknbil

5:13 pm on Feb 6, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Welcome aboard oolong. I can see that . . .

/wp-content/plugins/.......

Obviously a Wordpress site. Hackers can too.

It's not Wordpress directly, but there are many vulnerabilities with Wordpress that can be abused. The running joke is "don't you know Wordpress is Ancient Egyptian for 'hack me'?" but in defense of W.P., it's not just W.P. I've seen the exact same kinds of attacks on other CMS's.

It can come from another site on a shared server, a worm introduced into your computer (in which case YOU are the source, it does happen,) cross site scripting, mysql injection with older versions, tinyMCE or other plugins, forgetting to remove the install script as recommended or other security measures suggested by Wordpress - the list goes on. It doesn't really matter much how it happened, only that there's some hole you forgot to plug, or you're on a server that has been compromised.

In the cases I've seen, only FILES are affected, specifically, every index.php file and some javascript files will have a line of malicious Javascript code added. The database is not affected (again, these are the hacks I've seen personally.) Generally re-uploading your WP install from a clean copy makes it go away, at least, for now.

Prevention? Start here [codex.wordpress.org].
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:27 am May 21, 2026