I am highlighting today a very naughty but very genius hack I have found on one of my clients accounts. Its genius in the fact that it totally bypasses any client side malware detection scripts and naughty in the fact that it can:
- destroy any seo you have done on your site
- steals your clients by sending them to a possible “drive by install” site
- reduce your sites credibility to rubble
All of this without you or your webmaster or seo dude/dudess being aware of it.
FYI: any linux server that I run, I run linux malware detect which is without a doubt a brilliant tool for spotting hacked files and without it, I probably would have never even found this hack.
Today I received a maldet report which showed one of my clients accounts as being compromised with some base64 code. Base64 code is not necessarily malicious, but, some investigation should be merited because it can contain dodgy code with a hidden agenda.
Here is a part of the maldet report I received today.
I then opened up the hacked files in notepad to discover some bas64 code had been inserted into every single php file on the clients site (not only wordpress files, even non wordpress files too) and its only then the situation has unravelled itself.
Next thing I did in order to test if this hack was working/real/functional, was to type into google search bar, site:clientsdomain.com, this then brings up all the listings that google has for this web site, allowing me to test the code.
I then clicked on one of the listing and lo and behold was auto redirected to a coupon site, not my clients site. I then tried it again with a different google link and I was redirected to a bing lookalike site. This is obviously very bad in the fact that normal visitors to your site will not see anything or be affected at all but anyone coming from bing, yahoo, facebook and google will simply be redirected, meaning any seo you have done in order to boost your serps get blown out of the water…not good.
So obviously as every single php file was infected, editing each file would prove to be futile, we simply restored the site from a backup and then investigated as to how the hacker has gotten in and found it was due to some permission issues with the clients account.
It does highlight a few things though in terms of how you could unwittingly be a victim of a hack and not even know it.