Ok, so I just had 2 of my WP installs hacked, on 2 different servers. This is not the same thing that Shoemoney reported on a few days back (hidden link injection), and as of yet I have not seen any definitive answers as to what it is. All of my blogs were upgraded to 2.3.3 last month, and in all but 2 of them the only thing that was kept was the database… the sites themselves were moved to completely different servers in fact, with clean installs.
Please note that I do strongly advise any non-tech savvy people refrain from visiting any of the infected pages listed in those serps, or on their own blogs if they find that they have been hacked. As reported by this blog, at least one of the pages redirects you to a fake Google login screen as a phishing attempt. I have not gone through the other pages myself yet, so therefore have no idea whatsoever what other bits of nastiness they might be holding or might attempt to do. Yes, in general phishing attempts are easy to spot, but not everything that can be maliciously delivered via a webpage is. Also, notice in the search results, Google has already flagged some of these new pages as harmful, but a lack of a flag does not make them safe:
It is better to check your blog for the existence of the directory though FTP.
Apparently the hackers are spamming comments in posts as well, and pointing links at the now infected blog pages to get them spidered and to get people to visit them… such as what they are doing here on this post on SearchEngineJournal, (look at the last comment):
This issue was already reported here on WordPress.org, and whooami claims to have fixed the issue for the original poster on
his her blog here and here. However, his fix is based around renaming the cookies used by WordPress by default, and he does make the disclaimer that is he not a developer. If the exploit is hacking the cookies, and whatever current bot is looking for a specific cookie name, then yes, that would stop what is out there now… but it would not fix the issue.
As of this writing I could not find any actual solutions to this, so if anyone figures out exactly how the attack is being carried out please let us know.