Malware redirect hacks – specific question regarding vulnerabilities

Have you checked the .htaccess file(s) for anything suspicious??

As far as I can tell, they both look clean. (I’m not sure if I should post it here or not?) When I got hacked before, the changes to the .htaccess files were pretty obvious (lots of extra spaces, etc.).

The second one has what looks like a standard one for WP. The first has that exact same code plus a mod from the Hide Login security plugin that I have installed on there.

I just don’t understand how it could get infected so quickly or how a fresh install would have that redirect (not picked up by Sucuri) in less than five minutes. ??

Usually with the redirect to emisacbannortim.ru/upday/index.php the hackers place a backdoor on the site that allows them to upload files to the site. They use the backdoor to write the redirect back to the .htaccess over and over. The file is not part of your WP installation so it may not normally get over-written on a fresh install. You might scan through your access logs for requests for a php file that seems out of place. Sometimes it will have a file name consisting of a bunch of numbers .php but it can be most anything. Also check for additional .htacess files there can be more then one on a site located in diffrent directories.

After I de-installed WP on all my sites, I went in via ftp and removed every file in there. I did leave the blank folders, but I made sure to delete everything else.

But I’ll double check, thanks. And thanks for all your help. ??

As you are hosted on GoDaddy if you have not read through this thread

https://www.google.com/support/forum/p/Webmasters/thread?tid=5ed4ca0696a2e5ad&hl=en

probably should scan through it.

LOL Wow… I’ve been a customer of theirs for, idk, 12 years now, I believe. Apparently, I need to rethink that. I was going to switch before for ethical concerns but I’d prepaid for a year. Which is up in a week or so. ??

How do I find a good host that’s not too expensive? (I’d be glad to use a referral link if there’s anyone you recommend.)

Thanks so much again for your help. You’ve been very generous with your knowledge and time. I really appreciate it. ??

Spent some time talking with GoDaddy yesterday. The rep was nice, but (after talking with some higher-up tech people) told me the same, that it’s impossible. I asked him to check with someone else. He wrote to me later:

Hello Kristen:

In double checking another resource, that resource was in agreement that a third party directory cannot supercede the root directory. If you have any other questions, please let me know. Thank you.

[removed for privacy]
Customer Care Center

I’m sending him some links to other articles, including the one above and this one:

https://www.google.com/support/forum/p/Webmasters/thread?tid=51cc151590a97a0d&hl=en&start=40

Based on my interactions thus far and on those of others, I don’t expect to get an straight or accurate answer. I really, really, really don’t want to, but I’m probably going to try this all one more time and spend another 40+ to fix just one of my site. 20+ more to go.

If it happens again, I’m done with them.

Not sure if you’re following this thread still, but get this:

I cleaned out my websites again as they both wound up hacked. Did the WP uninstall through GoDaddy and deleted every folder I have on there, even though they were all empty, except for the STATS folder, which I cannot delete and which they verified for me were all correct. It is empty, as in empty.

And yet, even after deleting browser cache, history, and everything, when I put my url in (directly, not redirecting from Google, etc.), I *still* get redirected.

I did have something show up in my AV scans on my computer, which I cleaned and restarted. Did the same thing… made sure everything empty, deleted all history, etc., and it’s still redirecting. It even redirects on the (xScope) browser on my phone, which I had never used to visit any of my websites before, so it can’t be anything to do with browser cache, etc.

So my question now is, can it be anything other than GoDaddy? Anything at all??

Sorry to hear this is still happening, I know it must be very frustrating. The issue with GoDaddy and the .htaccess certainly kinda leaves you in limbo. As you have deleted everything there are not a lot of other possibilities. Here are a couple of more links on the Google form

https://www.google.com/support/forum/p/Webmasters/thread?tid=34a0198f8400bdae&hl=en

https://www.google.com/support/forum/p/Webmasters/thread?tid=61c2f6b272287c1a&hl=en

https://www.google.com/support/forum/p/Webmasters/thread?tid=703ea962ad70b07a&hl=en

The bottom line in all of them is basically the same. Maybe contact GoDaddy again, explain that you have deleted everything and requests still redirect, ans send them links to the threads.

Aww, thanks for posting again and thanks for sharing all of your time and knowledge.

The first link seems to be broken, but I think the other two probably have enough information.

I’m going to contact them again.

I mostly wanted to keep you updated as, unless they have a better explanation, this seems like definitive proof for me that the problem is on their end.

Thanks again. You’re very kind.

As an update, I called GoDaddy, and they talked to their Advanced Hosting Services department. They came back several minutes later and said they found an .htaccess file on my server. They renamed it (thereby rendering it useless), and I have left it on there for now.

However, this was not there before, neither in Filezilla or on their Hosting Manager. I even took screenshots earlier of Filezilla to show it was blank, so it is my belief that it was uploaded some time in the last hour or so.

I’m not going to reinstall my websites just yet. I’m going to wait and see if another one gets uploaded. But I’m pretty sure this is not from me! lol