I recently helped a client fix a particularly sneaky site hack. While this pertains to Drupal – similar attacks have been reported in Joomla, or any other PHP based site. The fix here may help still – you’ll just need to look harder. Here’s the rundown:
When you type your full website domain name into a browser, all seems well. However, when you click a search engine (or any other link) to your site, it goes to some variation of a p3p0.com site – a dirty, affiliate-based site that hawks anything from mortgages to meeting singles.
The following core Drupal files have been hacked:
Any other files in your root directory may have been hacked too – check the timestamps.
Look for something that resembles this code – and either comment it out (if you are unsure) or delete it:
The actual line of code will be quite long – I’ve shortened it here. It’s generally at the very top of the page.
And lastly – change your FTP login! That’s how they got in and did this – it isn’t a Drupal security issue, it’s that somebody hacked your FTP server – it’s the only way they could’ve done this. Or, if your web host has some sort of file editing feature within the control panel, then change your login for your webhost too.
Why did they do this?
They did it to make money by redirecting actual traffic to your site to their crappy, scum-bag affiliate site. Basically, they identify websites that seem to get a fair amount of traffic or have a heavy user base with lots of content for search engines to crawl. The code they use is sneaky in that it only kicks in when it detects someone is clicking through from another site, like a search engine. So if you don’t Google (or Yahoo, Bing, whatever) your site much, then it’ll take you awhile to even realize what’s happening.
What a pain - hope this helps someone out.