PLEASE HELP. Site Hacked

Hmm, I ran a few tests and it seems that you DNS entries may be hijacked! Seems like your host has not patched up yet.
All your php files seem fine to me. Maybe its your hosts DNS flaw.

Please read about Dan Kaminsky’s DNS Flaw on Google or https://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

Wow, that’s a new one. But I think it could be correct because if you type in eclipsemagazine/randomname it redirect to the antivirus thing. The weird thing is when I go to my drupal test site that works fine.

Can you link me up with your drupal test site?

https://www.eclipsemagazine.com/test

Hmm. I was wrong. This is no DNS flaw. Something at the server. Have you checked you database?

I thought it might be the sezwho plugin, but not looking like it. Catagory.php was looking suspect, nope. It appears that HTACCESS is the problem.

Check your htaccess files for rewrites or redirects. It appears that the redirects work on all but the top page.

I turned off javascript in my browser, and it still redirects. I think your HTACCESS files may be the issue.

I tried changing the name on my .htaccess and I looked at it in a text editor and it’s blank.

I looked at the databases and haven’t seen anything.

well, I broke the site. It was definitely an .htaccess hack. The problem is, for some weird reason I had a had a sub directory for each category that only contained an .htacess file, so I went through the site and deleted all those folders. The redirect is now gone, but I’m now getting 404 error messages. I’m going to try reinstalling WP and moving my db tables over, that should fix everything.

Those folders are not WP’s. Does anybody know about a plugin that would do something like that? Otherwise it’s still a very serious hack. Have you checked error and access logs and found anything out of order?
Btw. We’ve talked about timestamps. Did you check what timestamp all these weird extra folders and their files had?

When you’ve fixed things, you still have to make sure there still not a hack file somewhere, or something in your database that shouldn’t be there. Make sure to change ALL passwords (WP, database, control panel, etc.) and read the hardening wordpress text in the codex to try and prevent this for the future.

(Actually I’m still curious about the “how” of this hack.)

yeah, all the time stamp changes were on those folders, which is why I deleted them. But now I can’t get the urls to work at all.

Aha! Looks like it may have been an DNS attack after all. Seems I have to change my name servers (but my register isn’t letting me change it).
So hopefully later today, once I get a workaround, I’ll be able to finally fix this.

Issue is resolved thanks for all of your help! It was a server hack, but the host provider really isn’t admitting to it or providing me with any information. Changing the name server information seems to have fixed the problem.

Good for you. I’ve searched the www a little for DNS hacks, but I haven’t found much about it. I’m still curious how it’s done.

I noticed in the most recent updat to spyware blaster that all those domains are now blocked in SB.

I highly recommend that every use Spyware Blaster. It’s free (for manual updates), and it is unobtrisive.