@dumbadum
The issue discovered by Kaleh is called cloaking: hackers made your site serve spammy content for search engines and normal content for normal web surfers.
Most likely it is done via .htaccess conditional rules that check the User-Agent string of incoming requests and re-rout search engine bots to spammy content.
It can also be done by inserting a php code into your WordPress files (most likely encrypted) that checks User-Agent and displays different content for search engines.
Did you check the .htaccess file in the ups part of your site? If not, you should do it.
Then check all WordPress files for integrity. WordPress 2.9.2 has just been released so you can simply upgrade to this new version to make sure all the core WordPress files are original. Then check your theme files.
More about finding backdoor scripts in WordPress:
http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
Then scan your server for new and suspicious files and directories (the spammy content).
Finally, to prevent the problem recurrences, you should identify the security hole that was used to hack your site.
Start with scanning you computer for malware and then change all site passwords.
Note: storing new passwords in FTP clients that don’t provide master key encryption is a very insecure practice.
P.S. Please share your findings here to help other webmasters with similar problems.
P.P.S. “pdw2010 .uoftpharmacy .com” is also affected
Denis – www.UnmaskParasites.com
Thanks for all the info. Here’s an update:
It was not a .htaccess issue this time. The first time potentially was, since there was a strange .htaccess file in the public_html folder. I also removed a javascript file in the same folder which google webmaster tools pointed out as being suspicious. At the same time I looked into the .htaccess file (and any other file that ended in htaccess) for ups.uoftpharmacy.com, but it only had the standard .htaccess with two lines pointing to wordpress:
<del>-</del>———————————————
’# BEGIN WordPress
’# END WordPress
<del>-</del>————————————-
Now my second problem was the cloaking issue. My host support technician was not very helpful, since they explained to me that it was actually an error on google’s end, and that I should contact them to be re-index….
however, he did point me to their support article on how to make a website more secure.
I went through the files for ups.uoftpharmacy.com and deleted stuff that were not obviously pharmacy school related or wordpress related, and stuff that had file names such as old cache.php or something similar.
I upgraded my wordpress, then inspected the uploads, plugins and themes folder. Since I recognized every file that belonged to the current theme, and have compared the coding with the original ones I hand coded, I concluded my theme file was OK. So I deleted the other themes I was not using.
For the plugins, I removed all the inactive plugins and upgraded the ones requiring upgrade.
I inspected the uploads folder and found everything satisfactory.
I found it unnecessary to have php.ini and fastphp.ini in the ups folder, so I deleted those (please let me know if they are actually useful…. the subdomain seems to run OK without them). Also deleted fastphp.ini from the public_html folder (again, please let me know if that’s actually useful). I saved a copy of both on my computer in case there were essential files.
Then according to the support arcticle written by my host, I turned global variables (forgot the exact wording of that particular variable) and display_error to off in php.ini
So now ups.uoftpharmacy.com searches fine on google.
This leads me to conclude that the php.ini file was fine, since pdw2010.uoftpharmacy.com still is being cloaked.
Unfortunately, I do not have access to the wordpress that runs that particular section of the website. But I’ve emailed the webmaster for that section, and hopefully he will upgrade and so on.
My computer gets scanned nightly for viruses (has been clean for the past year), and I also scanned with Trend Micro House Call (came out clean), so I am 99% sure that it is not something that came from my computer.
I tried to figure out if anyone was accessing the cpanel without authorization, unfortunately I accidentally logged out before I could get the IP address, so that’s something I’ll try in a week or so.
Finally, I changed the password to everything
I will update again once the other webmaster contacts me about the pdw2010 portion of the website.
Thank you so much for your help!
