While going through my server logs a week back, I noticed some odd traffic. The site was getting hits from keywords like “Viagra” and “Cialis.” This is strange, considering that I’ve never really had much interest in, ahem, male enhancement products. When I checked my site in Google, I found this bit of oddness:
I did some research, and the diagnosis seemed to be that the site had been hacked.
Except it hadn’t. I went through and checked for all of the usual symptoms, but found none. File permissions and timestamps were unchanged. There was no unusual FTP traffic. My database was clean. I followed Chris Pearson’s advice and checked for rogue files. There were none. I ran Cotton Rohrscheib’s scripts against everything, but I found no base64_decode functions other than where they should be. My theme files are hand-coded, so it was a trivial matter to rule out tampering. Continued...