Well its hidden, so its trying to get search rankings for their site up rather than directly trying to get traffic.

The root kits I’ve seen send the commands in clear text. You should be able to search your log files for text related to the spam insertion – bits of the URLs, shell commands etc. that can lead you to the page. Once you find the file, you may want to search your PHP directories to find files that refer to it or files that were created at about the same time as there may be other files in the root kit. There have undoubtedly been others who have dealt with this root kit, so once you have a file name, try Google.

As for the why of it – page rank is money especially in a market as crowded as online porn. That’s just one of the many uses that a botnet can be applied to. A friend of mine realized one day that he couldn’t account for several gigabytes of disk space. He discovered that hidden on his drive two DVD images. Someone had been using his machine and his DSL connection to distribute pirated software.

I don’t know, maybe doing a comparison between the PHP code on your server and the pristine WordPress PHP code (using “diff -r”) may help? “netstat” to check for suspicious network services?

Anyway, in case you do find the code that’s causing the nuisance, I’d like to know what it looks like so that I can guard against it… I don’t want to write vulnerabilities into my PHP scripts. :)

These hacks are usually completely automated and the compromised servers might be used for a variety of nefarious purposes like sending spam or participating in DOS attacks on other servers. I get hundreds of probes a day on my servers looking for vulnerabilities.

Do the server logs show any suspicious activity?

In fact, a little searching yields:

http://wordpress.org/development/2007/01/wordpress-207/

Cranky

From the locations the files are located in the various US websites (most .edu, some .org, .com and .gov) they have managed to get files onto, it looks like they have done it by finding directories on websites with the wrong permissions set and dumped a few link pages in each place, because although some are under user accounts (which would most often indicate a weak password account hacking bot), there are also plenty of other areas of various websites affected. Unfortunately currently the .com.ua whois server doesn’t seem to be properly set up, including any mirrors I found, so haven’t been able to track the source back very far in a short time, although it might be possible.

This would suggest that it is more likely that the links were added due to a permissions issue at some point – the degradation of the links gives the impression it could have been added quite a while ago, although it could also be a substandard bot or old zombies still adding links that have been killed long ago.