Wordpress blog post highjacking

[stipuledfatcat]

I was recently asked to look into a family friends website that was hacked. The initial issue was that the page had some JS inserted into the header which would clear the page and put up a fake captcha of cats which would redirect you to some gambling site. They ended up paying for a service to clean up all the fragments of code scattered all over the website (JS in the header, some PHP cron jobs on the sites back end and plenty more that I didn't get a chance to see before it was cleared). Obviously all associated passwords were changed when they realized it was highjacked and now that it has been cleared up I am in the process of going over the site to make everything is working properly and adding some content that they requested. But that is where I discovered something interesting and was wondering if anyone else has run into a similar type of situation and also how something like this would even be used by a less than scrupulous individual.

 

What I noticed is that there was some traffic to some pages on the site that were in French and Dutch, while the rest of the site is in English and there is no reason for anything to be in any other language, so I decide to take a quick look. That is when I realized someone had posted over 1000 posts ( the rest of the site resides as a series of actual pages) made at the same exact time about a year ago. All of them related to gambling sites and online sports betting while being written in again a mix of French and Dutch. There was no way to navigate to these posts without knowing the exact URL for them, or at least knowing the date (YYYY/MM/DD) to add to the end of the main domain. It does not look like there much traffic to the posts but still seems rather strange if not a little bit of an interesting way to use a highjacked website. 

 

I am not really a web dev so maybe this is common but quick Google searches don't bring up anything of relevance so if anyone knows anything more about similar types of situations I would love to hear about and learn a bit more on the topic. My curiosity has been piqued after seeing this.

[Needfuldoer]

7 minutes ago, stipuledfatcat said:

What I noticed is that there was some traffic to some pages on the site that were in French and Dutch, while the rest of the site is in English and there is no reason for anything to be in any other language, so I decide to take a quick look. That is when I realized someone had posted over 1000 posts ( the rest of the site resides as a series of actual pages) made at the same exact time about a year ago. All of them related to gambling sites and online sports betting while being written in again a mix of French and Dutch. There was no way to navigate to these posts without knowing the exact URL for them, or at least knowing the date (YYYY/MM/DD) to add to the end of the main domain. It does not look like there much traffic to the posts but still seems rather strange if not a little bit of an interesting way to use a highjacked website. 

There are probably direct links to those pages on other sites that got hacked. (Maybe as a way to give their crap some perceived legitimacy?)

[stipuledfatcat]

10 minutes ago, Needfuldoer said:

There are probably direct links to those pages on other sites that got hacked. (Maybe as a way to give their crap some perceived legitimacy?)

True, I assumed maybe directly being linked from DM's or forums or something along those lines. I find it hard to believe it would add legitimacy, thought that maybe due to me being a bit skeptical and cautious of anything online so to me it might seem sketchy but someone else might not look too far into it.