Recently, I accidently went to a wrong page on my web-server that runs WordPress and noticed I was taken to a SPAM page that was not intended to be on my website. The page in question headlined: “FACTUAL STUDY: HYDROXYCITRIC ACID IN GARCINIA CAMBOGIA BURNS FAT. 15 LB. LOSS MONTHLY!” I knew this was a virus on my webserver that would link anyone to a website that would probably give them malware. This seems to be the latest WordPress Hack as of April 2013. Below I will show you how to get rid of this 404 redirect hack on wordpress. 😉

[space]

What is this Virus on your WordPress site?

This is a little tricky virus on your webserver that exploits 404 Redirects with SEO Poisoning. All Links in the compromised site point to:

[alert ]/click3.php?S7QytarOtDKyzrQyBGITIDYHYlMo29jaD0iaWRdbGRlYKaklpqXFF5cmGdnmJmbmRYOIWCXrWgA%3D[/alert]

The virus shows a fake ConsumerLifestyle page with fake credentials from CNN, CBS and MSNBC. Here is a snap shot of the wordpress 404 redirect hack:
[space]
[img src=”http://www.markswist.com/wp-content/uploads/2013/04/consumerlifehack.jpg” alt=”Consumer Lifestyles GARCINIA CAMBOGIA” width=”682″ height=”629″ ]
[space]

Of course this drew a red flag so I looked on my server to potentially delete the files responsible. The first place I went to was the .htaccess file. This is usually the place where sites get hacked with a redirect. I noticed my .htaccess files were fine. The next thing I did was right click on a picture to see where a potential file was located so I could just delete the associated folder. I right clicked on the logo to see where the logo picture was pointed. It pointed to my webserver then:
[alert ]garca/images/logo.png[/alert]
[space]

Here is an image properties from Google Chrome:
[space]
consumerlifehack2
[space]

Looking at my webserver, there was not a folder named garca which means I wasn’t going to be able to find the file. Wow! What an amazing virus/malware that was placed on my server. The good thing is that it narrowed dows the point of entry on my wordpress site to the plugins. Looking in the plugins folder of my webspace that is can be found at /wp-contents/plugins and there is folder entitled “wppm”. This is where the wordpress 404 redirect virus is stored. Take a look at the following screenshot:
[space]
consumerlifehack3
[space]

When you delete this folder you will delete this tricky little exploit that takes advantage of 404 redirects. I hope this helps people that comes searching for how to get rid of this little bugger. Don’t forget just delete the entire wppm folder that should be located in wp-content/plugins