PLEASE HELP. Site Hacked

That’s some irritating hack!! And the links are even broken (scanner.antivir64.com/?aff=1050). The weird thing is that the url your visitors are pointed to, does not appear in the source of your website. I can’t even access the website to see what it is and a Google search doesn’t result in much. It is almost as if this is handled outside of WP. To be honest, I have no idea where to start looking, but there’s always a few things you can try of course.
1) Change to default theme and see if the problem persists. If it does not, your theme has been compromised, if it does, we have to look for something else.
2) Can you still access the WP admin? Do all internal links work or are they also redirected? What about post links (for example previews or edit links)?

Then a question: when did you upgrade to 2.6 and what plugins do you use?

[edit] another question: I see people can register. Did you get new users recently? What’s the role subscribants get? “Contributor” or something with not too much rights I hope?

I’ve tried disabling all the plugins, changing themes, and disabling the .htaccess file. My admin panel works as well. When I looked at the .htaccess file it was blank. It’s really weird, it seems like it’s completely outside of WordPress. I looked at one of my test drupal installations and that works fine.

Everything in the admin seems to work fine. If you notice the ad on the left is working fine as well.

it seems like it’s completely outside of WordPress

I had the very idea, but how? What about new users?
Are you on a shared server or a dedicated?
Did you check your error logs or contact your host?
Another thing that you could try, but which is tedious, is downloading your WP installation and check the files to see if anything is changed. Perhaps you can use the Windows search inside files function for that.
Oh, when you look at the files on the servers, are there files with a recent timestamp that you’re sure you didn’t edit yourself? That could be a pointer to what files to have a look into.

I’m on a VPN, I don’t know how many other people are on it, but not many. There’s been no new users registered in the last day, this seemed to have happened sometime yesterday. I did contact my host provider but haven’t received a response and they are usually pretty good about responding. I didn’t think of looking at the time stamp. I’ll do that now.

the host provider is claiming it’s a wordpress issue and won’t fix it without a fee.

It would be nice to know what the issue is.

Did you check the timestamps and error logs?
And in reprise: when did you upgrade to 2.6?

I upgraded the day it was released. I’ll have to check the timestamps this evening. I’m not sure what to do now. I may just switch to Drupal and be forced to rebuild everything.

There are no known holes in 2.6 and I hope someone didn’t find one in your installation. If you can find more information you might want to send an email to [email protected]. It would be helpfull to check the timestamps to see if there are edited files, if yes, which ones and what was edited and perhaps your server logs can tell us something. Too bad nobody with more experience than myself is here to see if it is possible to find the way in. Security will definately want more information than what’s not is. On the other hand, if it’s a hack of a 2.6 installation that has been going for a couple of weeks and your host says the hackers came in through WP we should all be very curious what and how.
Good luck. I hope you’ll find some valuable information before you clean up the mess. It might help the rest of us.

I’ll try that, thanks for all your help. It seems weird that the admin works though.

I’m going to try to export and import when I get home and see if it’s there. The only problem is my Import file is totally screwed up and doesn’t import files properly. The date sort is completely out of date. I’m not sure what this will prove if it works, though.

I’ll try that, thanks for all your help. It seems weird that the admin works though.

That makes me think it is a theme issue afterall. Do “view this post” from admin also work, I mean, when the admin uses the same link as on the site itself, not a preview link or something?

If it IS the theme, your site will still be infected if you keep using it. Instead of doing something drastic, maybe you should just reupload the WP pack. If any WP file is edited, the problem will go away too. I doubt it is something in your database.

It can’t be the theme though, because I tested 5 different ones and it still happens. I’m going to have to take the site offline tonight if I can’t fix it soon. A lot of folks are complaining.

Yes, the posts are hijacked in the admin when you click view posts.

WOW! This one even has the control of your RSS. Let me dig a bit more deeper. I did check for your CSS files, nothing bad in them.