How does it work?
What happens is that a malicious script is uploaded to your web server and is included somewhere in a WordPress header file. When someone clicks on search results from a search engine, and you are directed to your website, the malicious script picks up the referrer was a search engine and 301 redirects the user to somewhere else of their choosing. The 301 redirect tells Google that the URL has changed and Google automatically changes the old URL to the new one on their index.
How can I test if I’m compromised?
You can run this query in Google site:example.com [keyword]. The keyword is optional, if your site has a lot of indexed pages, it might be difficult to scroll through all the results looking for suspicious URL’s. You can just run through the usual list of “viagra”, “penis enlargement”, etc. to test if Google indexed
How do I fix it?
Look for any suspicious files in your web server public root. I was lucky enough to immediately spot a file called “wp-cofnig.php”.
The contents of this file, looked like this:
What I can suggest is that you run this command on your web server:
$ grep -irl “eval(” /path/to/your/wordpress/install/
This will search through all the WordPress files for “eval(“. Chances are that you could get a couple of legitimate results, but you’ll be able to spot the ones that should not be there if you have some experience.
Once you removed the malicious script, and a user clicks on the fake URL in the search results, they should no longer be redirected away from your site, but will rather now land your site and your 404 error page should be displayed.
How do I remove those fake links?
There are a few ways you can do this: