I’ve been neglecting things here at Magpiebrain Towers since my move to San Francisco. Blame the sunshine, a demanding new client, or just a relapse of extreme apathy. Whatever the cause, it seems that my inattention has been rewarded.

Simon sent me an email the other day, wondering where the blog had gone. I brought up Firefox and checked – “No, the site is still there” I said. But it wasn’t as far as Google search was confirmed.

Redirection based on Referer

It turned out that via Google search, when you clicked on links for Magpiebrain then you were redirected to a suspected malware site called ‘your-needs.info’. I immediately blamed Google. Luckily, calmer heads prevailed, and someone far more knowledgeable than me pointed me at these interesting results:

$ curl -I http://magpiebrain.com
HTTP/1.1 200 OK
Date: Thu, 29 May 2008 18:00:52 GMT
Server: Apache
X-Pingback: http://www.magpiebrain.com/xmlrpc.php
Vary: Accept-Encoding
X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff
Served-By: TextDrive
Content-Type: text/html; charset=UTF-8
$ curl -I -H "Referer: http://www.google.com/search?q=sam+newman"
http://magpiebrain.com
HTTP/1.1 302 Found
Date: Thu, 29 May 2008 18:00:57 GMT
Server: Apache
Location: http://your-needs.info/search/index.php?q=sam+newman
Vary: Accept-Encoding
X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff
Served-By: TextDrive
Content-Type: text/html; charset=UTF-8

So, it seems that if google is the referer, then the browser is redirected to some shitty spam site.

Cunning barstweards.

Lax WordPress Upkeep to blame?

When I found out that it was my site that was to blame, I immediately started poking around. I checked my .htaccess file – thankfully this was clear. Next, I disabled all the plugins in WordPress, but still the redirect worked. Finally, I moved index.php out of the way – thereby stopping wordpress from being invoked – and surely enough the redirection stopped. So WordPress was to blame.

However, my inaction in writing posts for the site has also extended to not actually keeping WordPress up to date. So my first course of action was to upgrade from 2.3.3. to 2.5.1. The upgrade process was seemless as always, but the referer hack remained.

Fix

A recent thread over at wordpress.org helped me find the solution. By poking around in wp_options and removing a row with an option_name of rss_f541b3abd05e7962fcab37737f40fad8 the problem went away. Right now it isn’t clear which exploit was used, or how many sites were affected, but the thread I found was pretty recent which implies this may be a new issue.

Insidious Hack

This really is quite a good use of what appears to be a WordPress exploit. The only way in which this hack becomes apparent is if you check your analytics frequently (which I don’t – my ego is already big enough without stoking it by looking at hits) or if so perform a google search for your own content, which happens rarely. What is in it for the hackers is harder to see, other than driving traffic to a bogus search engine that pushes prescription drugs.