A couple of years ago, I suffered through the clean up of a bad wordpress hack, mostly as a result of leaving an old install without updates, and having it cross over to my main blog.
Because of that, I keep a pretty good eye on things around here when I have the time, just to make sure that random things aren’t appearing in my pages. So last night, when I logged into Google Webmaster Tools and saw the list of content keywords associated with this site, I knew something was up. (When the top 4 are all drugs, you know…) Since I had been through a similar experience the first thing I did was check the code of my pages. They were fine. Then I told Webmaster Tools to fetch the homepage as Google, and that’s when I knew I had a problem. Sure enough, there were hundreds of invisible links being added to the bottom of the site, but only when it was being fetched by the Googlebot user agent.
So off to the database and the file structure to try and find the culprit. The database came back clean, no SQL injection there, so it must be a malware PHP file somewhere. Darned if I could find it though. I checked for any files that had been updated in the past few days, I checked all of the common locations for these files, the uploads folders, the plugin folders, and so on, but I didn’t see anything all that odd. After awhile though, I did notice one thing that seemed peculiar. The folder for the twentytwelve theme had a modified date from 2010. How could that be possible when the theme didn’t even exist in 2010?
I brought up an FTP connection to my other site, and did a side by side comparison. On the non-hacked site, the theme folder had a modified date that seemed more realistic, and I also noticed there was one extra file in the folder on this site. A GIF file named blank.gif.
When I opened that in a text viewer, sure enough, that was no GIF image, it was base64 encoded PHP. With that file deleted, the links were no longer in the site when fetched as Google.
Later, when I was downloading a copy of the site for backup purposes, another file came to my attention because MS Security Essentials blocked it as a Webshell Backdoor infected file. That one was a PHP file, located in wp-content\themes\default\images. It was named kubrickbg.php. This made it very similar to the image files that are normally in that folder with that name, but obviously, it was a rogue PHP file.
So, apparently someone had gotten access to the twentytwelve theme folder, dropped those files in there, and changed the modified date back a few years in order to not arouse suspicion when looking for recently modified files. To remedy the situation, I decided to nuke the entire folder and reinstall the theme. I’ve also changed all relevant passwords, FTP, WordPress, etc. though I have yet to see any indication that the files were dropped there through any of those means. (No suspicious logins, no FTP traffic, etc.) I believe it is likely that access was gained through a compromised site on the shared hosting environment, so I’ll be on the lookout for any new files that show up, and I’ll be keeping a close eye on how Google sees the site to make sure I haven’t missed anything.