WordPress gambling redirect hack

Pre-amble:
My site was hacked, email spam was being sent from the server, the homepage was replaced with a “Under Construction” page. My host informed me of the hack and told me that TinyMCE was the culprit. They removed a bunch of malicious files and we disabled TinyMCE. I have no knowledge of what they removed or what caused the issue.

I am running WordPress 3.7.1 and the following plugins:
– Admin Menu Editor Pro v1.91
– Advanced Custom Fields v4.3.0
– Advanced Custom Fields – Taxonomy Field add-on v1.4
– Advanced Custom Fields: Gallery Field v1.1.0
– Advanced Custom Fields: Options Page v1.1.0
– Advanced Custom Fields: Repeater Field v1.1.0
– AJAX Thumbnail Rebuild v1.09
– Akismet v2.5.9
– Backup Scheduler v1.4.4
– Category Order and Taxonomy Terms Order v1.3.4
– Codepress Admin Columns v2.0.2
– Form Manager v1.6.41
– Redirection v2.3.4
– Relevanssi v3.1.9
– Reveal IDs v1.4.5
– Rewrite Rules Inspector v1.2.1
– Simple Page Ordering v2.1.2

So, onto the actual problem..
The site works great, no issues on the site itself. I am using “Post Name” as the Permalinks Common Settings so all URLs on the site are http://domain.com/page-name/

When I search for the website name in Google, the sitelinks show a ton of links to a gambling site. [redacted]

The URL structure for all of the links that show up in Google look like this:

http://www.domain.com/?p=XX (where XX is a number from 1 to 296)

If you click on any link from Google it takes me to a page with a FRAMESET that points to:

http:[redacted]

This is a link to the Grand Parker Casino.

I could also manually type any URL http://www.domain.com/?p=XX (where XX is a number from 1 to 296) and I get the same end result.

The links ONLY show up in Google, they don’t appear anywhere on my site (that I found).

The solution

That’s right, I fixed the problem, but when I was looking online for a solution, none were found so I figured I’d share my experience in case anyone has the same issue.

So.. I searched high and low, the theme, plugins, uploads, everywhere.

I found:
– A malicious php file called “b377f.php” in the uploads directory. I noticed the last modified date for /wp-content/uploads/2013/02 was September, not February, so I checked and found the newly uploaded file. It was a phishing file that provided any WordPress passwords among other things. I deleted this.
– A malicious line in the wp-config.php file:
[Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

It’s a HEX encoded line that was further encoded using Base64. I used programming to decode it and it pointed to a directory that had been created deep in some old directories/files on my server. This would be a unique directory on your server, but mine was called “…../donaven/cache/”

In that directory there was about 30 hidden files with alphanumeric character names like:

.%828E%0013%B8F3%BC1B%B22B%4F57

I deleted them, the directory, and the malicious line of code from wp-config.php.

Removing this instantly stopped the redirects from happening in Google. I’m hoping two things will now happen:
1) Google will remove the broken links, cause they no longer work
2) The hole that caused the issue has been fixed

Again, I don’t know how this was caused, but I do know that the redirects are no longer happening. I’ll post here if there are any other updates.

If you are experiencing this yourself, good luck!