Title: WordPress gambling redirect hack
Last modified: August 21, 2016

---

# WordPress gambling redirect hack

 *  Resolved [1clickmedia](https://wordpress.org/support/users/1clickmedia/)
 * (@1clickmedia)
 * [12 years, 6 months ago](https://wordpress.org/support/topic/wordpress-gambling-redirect-hack/)
 * **Pre-amble:**
    My site was hacked, email spam was being sent from the server,
   the homepage was replaced with a “Under Construction” page. My host informed 
   me of the hack and told me that TinyMCE was the culprit. They removed a bunch
   of malicious files and we disabled TinyMCE. I have no knowledge of what they 
   removed or what caused the issue.
 * I am running WordPress 3.7.1 and the following plugins:
    – Admin Menu Editor 
   Pro v1.91 – Advanced Custom Fields v4.3.0 – Advanced Custom Fields – Taxonomy
   Field add-on v1.4 – Advanced Custom Fields: Gallery Field v1.1.0 – Advanced Custom
   Fields: Options Page v1.1.0 – Advanced Custom Fields: Repeater Field v1.1.0 –
   AJAX Thumbnail Rebuild v1.09 – Akismet v2.5.9 – Backup Scheduler v1.4.4 – Category
   Order and Taxonomy Terms Order v1.3.4 – Codepress Admin Columns v2.0.2 – Form
   Manager v1.6.41 – Redirection v2.3.4 – Relevanssi v3.1.9 – Reveal IDs v1.4.5 –
   Rewrite Rules Inspector v1.2.1 – Simple Page Ordering v2.1.2
 * **So, onto the actual problem.. **
    The site works great, no issues on the site
   itself. I am using “Post Name” as the Permalinks Common Settings so all URLs 
   on the site are [http://domain.com/page-name/](http://domain.com/page-name/)
 * When I search for the website name in Google, the sitelinks show a ton of links
   to a gambling site. _[redacted]_
 * The URL structure for all of the links that show up in Google look like this:
 * [http://www.domain.com/?p=XX](http://www.domain.com/?p=XX) (where XX is a number
   from 1 to 296)
 * If you click on any link from Google it takes me to a page with a FRAMESET that
   points to:
 * http:_[redacted]_
 * This is a link to the Grand Parker Casino.
 * I could also manually type any URL [http://www.domain.com/?p=XX](http://www.domain.com/?p=XX)(
   where XX is a number from 1 to 296) and I get the same end result.
 * The links ONLY show up in Google, they don’t appear anywhere on my site (that
   I found).
 * **The solution**
 * That’s right, I fixed the problem, but when I was looking online for a solution,
   none were found so I figured I’d share my experience in case anyone has the same
   issue.
 * So.. I searched high and low, the theme, plugins, uploads, everywhere.
 * I found:
    – A malicious php file called “b377f.php” in the uploads directory.
   I noticed the last modified date for /wp-content/uploads/2013/02 was September,
   not February, so I checked and found the newly uploaded file. It was a phishing
   file that provided any WordPress passwords among other things. I deleted this.–
   A malicious line in the wp-config.php file: _[Code moderated. Please do not post
   hack code blocks in the forums. Please use the [pastebin](http://wordpress.pastebin.com/)]_
 * It’s a HEX encoded line that was further encoded using Base64. I used programming
   to decode it and it pointed to a directory that had been created deep in some
   old directories/files on my server. This would be a unique directory on your 
   server, but mine was called “…../donaven/cache/”
 * In that directory there was about 30 hidden files with alphanumeric character
   names like:
 * .%828E%0013%B8F3%BC1B%B22B%4F57
 * I deleted them, the directory, and the malicious line of code from wp-config.
   php.
 * Removing this instantly stopped the redirects from happening in Google. I’m hoping
   two things will now happen:
    1) Google will remove the broken links, cause they
   no longer work 2) The hole that caused the issue has been fixed
 * Again, I don’t know how this was caused, but I do know that the redirects are
   no longer happening. I’ll post here if there are any other updates.
 * If you are experiencing this yourself, good luck!

Viewing 1 replies (of 1 total)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [12 years, 6 months ago](https://wordpress.org/support/topic/wordpress-gambling-redirect-hack/#post-4340403)
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Anything less will probably result in the hacker walking straight back into your
   site again.
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)

Viewing 1 replies (of 1 total)

The topic ‘WordPress gambling redirect hack’ is closed to new replies.

## Tags

 * [gambling](https://wordpress.org/support/topic-tag/gambling/)
 * [redirect](https://wordpress.org/support/topic-tag/redirect/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 1 reply
 * 2 participants
 * Last reply from: [esmi](https://wordpress.org/support/users/esmi/)
 * Last activity: [12 years, 6 months ago](https://wordpress.org/support/topic/wordpress-gambling-redirect-hack/#post-4340403)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics