Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing.
The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me.
In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.
This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/” -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name. I decided to find out what was going on. Continue »»