Just found out that some WP blogs have been hacked somehow and certain traffic - European I believe is being redirected away from the site to the hackers sites and then on to sponsor sites they promote.

You might want to check your WP blogs through some proxy and see what happens with visitors.

For example,

http://retrosexblog.com/

If you search on google for "retro sex blog" and click on the site, it gets redirected. If you type in the URL you see the site fine. It seems to be redirects on foreign traffic from Google and possible other search engines.

This seems to be the solution or explenation:

http://wordpress.org/support/topic/179395?replies=2#post-770581

The site mentioned above has now been fixed with the fix in the thread mention at wordpress.

With the help of Bjorn I managed to get it off of retro sex blog - the article he linked will do it for ya, although if it gets complicated here's a quick run down.

This doesn't seem to be version specific (I know of a few people affected on both old and new versions), and works by malicious code attaching to an image and acting as a plugin.

The first step is to go into phpmyadmin or whatever you use to look at your databases, and go into wp_option. You should see tables that have rss_withabunchofgibberish after them. Some of these might be magpie and other rss parsers, and some of them are affected files - rss_f541b3abd05e7962fcab37737f40fad8 is what you're looking for.

After that, you need to go into active_plugins. You'll see an area in the string that has an image file name with, once again, a ton of gibberish after it. This is the affected image. I don't know the elegant way to taking this out - I just deleted the image file, then deleted that part of the string in active plugins. It did end up deactivating all of my plugins, but I just went through and turned the ones I needed back on and it worked fine. That seems to have fixed it, and hopefully it helps, but I'm about to fall over now so hopefully you don't have to deal with this crap.

thanks for posting the solution! Glad you got it sorted!

What version of WP are you using? 2.5.1 or an earlier version?

I believe she had a earlier version.


What version of WP are you using? 2.5.1 or an earlier version?

Yikes, thanks for the heads up on this one. I just upgraded my two remaining WP blogs to the latest version, but I scanned for that hack anyway - thankfully they were clean! I think its about time to get those last ones converted to BO format!!!

yes from the sound of it, its mostly older version that has the problem. Could be wrong though. Quite a nasty little hack!


Yikes, thanks for the heads up on this one. I just upgraded my two remaining WP blogs to the latest version, but I scanned for that hack anyway - thankfully they were clean! I think its about time to get those last ones converted to BO format!!!

You know, the more I think about this Hack, the more Pissed Off I get with Wordpress. :grrr:

Seriously, there is no notices I can find in the admin section of my blogs, not warnings from other 'wordpress' semi officials either, and yet this is a serious issue for many Wordpress Bloggers.

You would think they would do more than bury it in their support forums 666