monkeyangst

Nevermind item 4) on my list… I fully decoded the PHP code of the malicious file and I now see that it simply checks the useragent and if it’s a bot, does an add_content action. Very simple. Not sure what the rest of the code does, as it’s lengthy and my PHP skills are intermediate at best. I can provide the code to anyone who wants it, though I’m loathe to post it publicly.

I’m having the same problem. I logged into Technorati to see how it was seeing my blog, and was shocked to find lots of pharmaceutical spam in the content of both my WordPress blogs.

When viewed through a browser, this spam is not present. However, when a search engine spiders the site, there it is.

A lot of troubleshooting revealed that in my active_plugins option, there was one entry that pointed to something that wasn’t a plugin: a file called .akismet.old.php, which was stored in a location deep within my blog (different locations on each blog). This file turned out to be exactly what Otto mentions. I also found the same rss_f541b3abd05e7962fcab37737f40fad8 entry in my options table.

What I, like Otto, still can’t figure out is:
1) How that file came to exist
2) How that option was written to my database
3) Whether this can still happen with WordPress 2.8.4
I’m also curious about
4) How this content is displayed to search engines but not to browsers. This, however, is just curiosity. Doesn’t really affect the problem.

Anyone have any clues as to how these people are getting in?

The apple and text are in the sidebar.php file — when you turn on widgets, most of what’s in that file disappears.

Try this: Take the div that has the “Author” section and put it BEFORE the <?php if ( !function_exists('dynamic_sidebar') || !dynamic_sidebar() ) : ?> line. That way it should show up whether you’ve enabled widgets or not.