3.3.1 Hacked by saveprefs.ru redirect

I just passed a few hours to follow this discussion because today I detected several hacks in different wordpress installations.

After removing, deleting, uploading and so on my problem still persists. The index.php in the wp root gets infected over and over again.

Will see what happens, will follow postings here! Wish me luck!

I finally solved my problem, after several reinstalls from the WP dashboard and multiple htaccess resets.

This problem stopped coming only when I tried going to my website one day and I copied the URL that Google Chrome warned that my site was trying to forward to.

Once I downloaded my complete WordPress directory to my computer, I did a search for that URL and found exactly where the script was hiding. It’s been about 2 months and I haven’t seen the problem since.

If you have a Mac, just type the URL into the search field of Finder. If you use Windows, try using File Hound to find it for you.

Please let me know if you find anything!

thanks, I deleted and reinstalled all plugins I have used and until now (for the last hour or so) the site seems to be clean.

I set the .htaccess file access to 444 earlier (didn’t notice an infection on this file), it was mainly my index.php which was affected. I don’t have any clue where the infection came from ?? … and why it came again and again. All in all it seems an important issue, friends of mine where also infected and from the several sites I administrate there are at least 3 infections.

@impackt Are you interested in the file itself?

Sorry for the delay. No, I’m not really interested in the contents of the file..I just want to help you find it and remove it.

Any update on your progress?

seems to be solved now… will see what happens in the future. thanks!

No problemo

I signed up here just to post my resolution. I don’t know exactly what part of this fixed my problem… but its fixed.

Step one: Cleared out all of my .htaccess files. make sure your file permission is set to 644. i noticed that some were changed. Many of them had redirects in them and were hidden by scrolling down and right. I made them all blank other than the one in my public_html folder. This is the code I used for the public_html .htaccess file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Step two: Changed every .htaccess file on the server from file permission 644 to file permission 444.

Step three: found files that did not look right. these included a folder named “issue.” I deleted the entire folder. inside this folder was a .php file called honey.php.

I also found a file called “wp-zycgg” in wp-content/themes. I deleted this entirely.

I also found 2 files in the home directory called component.php and counter.php. I deleted them both.

Step 4: I installed a plugin called wordfence and scanned the website.
https://www.wordfence.com/
Wordfence flagged a couple files and I removed them as well.

step 5 I then updated wordpress to the same version to restore any missing or corrupt files.

After that I scanned the site here: https://sitecheck.sucuri.net

since then I have been good. Have not had any issues since. I apologize if any of this seems confusing or useless but this is what worked for me. This was making me crazy for a coupled days.

And don’t forget to change your wordpress and FTP passwords!