Search Hacked

Our WP install was hacked and the hosting company caught it and deleted the files (see below).

The site looks to function normally apart from Google Custom Search which shows some search results for Viagra/Cyalis etc – but when you click on the link it takes you to the regular content which appears as normal (presumably the hack would have redirected the click through to another site had the files not been deleted)

Any suggestions for a solution apart from not using the plugin?

A routine security check on the server found that your account - sitename.org - was being actively exploited.

The malicious files:

/home/sitename/public_html/auth.php: PUA.HTML.Crypt-8 FOUND
/home/sitename/public_html/.smileys/hash_keyword.php: PUA.HTML.Crypt-8 FOUND

was found to exist on your account. Due to the nature of these files, these have been removed from your hosting account.

Additionally, the following malicious files were also found on your account:

/home/sitename/public_html/phplist/admin/lan/pl/checkbouncerules.php: PUA.HTML.Crypt-8 FOUND

base64.inject.unclassed.7 : /home/sitename/public_html/wp/wp-content/themes/weaver-ii-pro/includes/admin-advancedopts.php
base64.inject.unclassed.7 : /home/sitename/public_html/wp/wp-content/plugins/events-planner-pro1.2.14/application/controllers/epl-form-manager.php
base64.inject.unclassed.7 : /home/sitename/public_html/wp/wp-content/plugins/jetpack/modules/comments/base.php
gzbase64.inject.unclassed.14 : /home/sitename/public_html/wp/wp-content/plugins/cforms/js/include/lib_database_getentries.php
base64.inject.unclassed.7 : /home/sitename/public_html/federation/simapi-1.0.0/sampleStore/order-privacy.php
gzbase64.inject.unclassed.14 : /home/sitename/public_html/federation/donate.php
gzbase64.inject.unclassed.14 : /home/sitename/public_html/zencart/zc_admin/includes/modules/newsletters/product_notification.php
php.exe.globals.4707 : /home/sitename/public_html/zencart/images/f0969.php
php.exe.globals.4707 : /home/sitename/public_html/zencart/images/eddea.php
php.exe.globals.4707 : /home/sitename/public_html/zencart/images/fbd79.php
base64.inject.unclassed.7 : /home/sitename/public_html/zencart/includes/languages/english/extra_definitions/product_music.php
base64.inject.unclassed.7 : /home/sitename/public_html/zencart/includes/modules/category_icon_display.php
base64.inject.unclassed.7 : /home/sitename/public_html/zencart/includes/modules/sideboxes/document_categories.php
base64.inject.unclassed.7 : /home/sitename/public_html/phplist/admin/lan/nl/generatebouncerules.php
gzbase64.inject.unclassed.14 : /home/sitename/public_html/wiki/lib/plugins/config/lang/ko/lang.php
base64.inject.unclassed.7 : /home/sitename/public_html/wiki/lib/exe/xmlrpc.php
base64.inject.unclassed.7 : /home/sitename/public_html/com_civicrm/civicrm/packages/DB/sqlite.php
base64.inject.unclassed.7 : /home/sitename/public_html/com_civicrm/civicrm/packages/htmlpurifier/library/HTMLPurifier/HTMLModule/Target.php
base64.inject.unclassed.7 : /home/sitename/public_html/com_civicrm/civicrm/CRM/Project/BAO/TaskStatus.php

Investigating this found that the file - /home/sitename/public_html/logout.class.php - which looks to have been the cause of a lot of these exploits - was uploaded via FTP to your account.

http://wordpress.org/extend/plugins/google-custom-search/