Froling.bee.pl Hack Warning – this can destroy your seo and credibility with out you even knowing

February 15, 2012

I am highlighting today a very naughty but very genius hack I have found on one of my client’s accounts. It’s genius in the fact that it totally bypasses any client-side malware detection scripts and naughty in the fact that it can:

  • destroy any SEO you have done on your site
  • steals your clients by sending them to a possible “drive-by install” site
  • reduce your site’s credibility to rubble

All of this without you or your webmaster or SEO dude/dudess being aware of it.

FYI: any Linux server that I run, I run Linux malware detect which is without a doubt a brilliant tool for spotting hacked files and without it, I probably would have never even found this hack.

Today I received a maldet report which showed one of my client’s accounts as being compromised with some base64 code. Base64 code is not necessarily malicious, but, some investigation should be merited because it can contain dodgy code with a hidden agenda.

Here is a part of the maldet report I received today.

So the first thing I did was visit the client’s site by typing their domain name into my browser and then doing “view source”, in order to see within the code of the site if there were any javascript injections, which is usually a sign that the site has been hacked in some way. I did not see any malicious code at all.

I then opened up the hacked files in notepad to discover some bas64 code had been inserted into every single PHP file on the client’s site (not only WordPress files, even non-wordpress files too) and it’s only then the situation has unravelled itself.

Next thing I did in order to test if this hack was working/real/functional, was to type into google search bar, site:clientsdomain.com, this then brings up all the listings that Google has for this web site, allowing me to test the code.

I then clicked on one of the listing and lo and behold was auto-redirected to a coupon site, not my client’s site. I then tried it again with a different google link and I was redirected to a bing lookalike site. This is obviously very bad in the fact that normal visitors to your site will not see anything or be affected at all but anyone coming from bing, yahoo, Facebook and Google will simply be redirected, meaning any SEO you have done in order to boost your SERPs get blown out of the water…not good.

So obviously as every single PHP file was infected, editing each file would prove to be futile, we simply restored the site from a backup and then investigated as to how the hacker has gotten in and found it was due to some permission issues with the client’s account.

It does highlight a few things though in terms of how you could unwittingly be a victim of a hack and not even know it.