Almost by accident I discovered that one of our clients' WordPress sites had been maliciously hacked.
The only symptom was that every outbound link (which were created to help support her other site) had been wrapped in a
<noindex> tag and the
rel="nofollow" attribute had been added to the link itself.
There were none of the other usual signs of a hack (no malware being distributed, no links inserted to other sites, etc.).
I was going to start a topic here to request help with diagnosis, but we discovered what was causing the symptoms. Someone had installed & activated a plugin with the name "WPRef." It listed its plugin site as "code.google.com" and its author as Sergei Brin (thanks for the stupid joke).
In any case... I'm wondering if anyone has seen this kind of hack job before? I've looked endlessly and can't find a reference to it anywhere. I've written up the entire experience in more detail here.
Logging in via FTP and comparing it to our backups, I can tell that the plugin was installed on February 10th, 2011 (one week after I upgraded the site to 3.0.4).
We've assumed that to activate this plugin, someone would've had to have cracked an admin-level user's password via brute force. We've since removed the "admin" account, changed all passwords and are working to harden the site.
Any input or thoughts are welcome. Otherwise, I hope this helps someone else if you see a similar attack.