One day one of my websites was hacked
using an unpatched vulnerability.
The day after the fix I found out that many friends were asking for a simple
way to check if they were attacked.
The next day I put together a few lines of PHP to meet their request.
The hack I've seen did an interesting thing: it made the website respond "301"
permanent redirect to any request coming from the GoogleBot. This means that in fact my
website for Google was a mirror for another website... permanently.
This trick was completely invisible to anyone using a browser.
This also means another thing: my website completely disappeared from any
Google search query.
On my hosting I had an old archived copy of WordPress with an old exposed
XMLRPC vulnerability
(already fixed on subsequent versions of WordPress).
It was piece of cake to get through it. Then they uploaded a simple php script in order
to do anything on the filesystem.
From here on it was simple: they injected an obfuscated eval() PHP code in wp-settings.php and
edited also .htaccess. Both those changes forced GoogleBot to see a "301" permanent redirect,
pointing to: "http://bablo.me.uk".