impackt

No problemo

Sorry for the delay. No, I’m not really interested in the contents of the file..I just want to help you find it and remove it.

Any update on your progress?

I finally solved my problem, after several reinstalls from the WP dashboard and multiple htaccess resets.

This problem stopped coming only when I tried going to my website one day and I copied the URL that Google Chrome warned that my site was trying to forward to.

Once I downloaded my complete WordPress directory to my computer, I did a search for that URL and found exactly where the script was hiding. It’s been about 2 months and I haven’t seen the problem since.

If you have a Mac, just type the URL into the search field of Finder. If you use Windows, try using File Hound to find it for you.

Please let me know if you find anything!

LOL, maybe my guardian angel fixed mine for me. I find it extremely weird that my solution didn’t work for anyone else.

@urbaanalmelo

It seems as if this attack also affected 404 settings. I’m thinking that maybe my files didn’t stop changing until I added 404 directions to my .htaccess file.

Upload the code below, check again for PHP scripts, then try your site. Also try visiting non-existent URLs to see if the 404 actually tries to work.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

ErrorDocument 404 /down.html
# END WordPress

@urbaanalmelo Can you post the contents of your .htaccess here?

@urbaanalmelo Once you overwrite it, download it immediately and see what it’s contents are.

No, it’s not related to web hosting. It’s most likely related to hacked FTP accounts. I have reseller hosting, and only one of my sites have been affected by this — once I fixed it, it never came back. It’s been nearly 12 hours now.

The biggest problem is that you guys think you are editing and overwriting your .htaccess files, when in fact, the overwrites are failing. These hacked files are set to “read only” and can’t be overwritten. I seriously don’t think they are replacing themselves — you guys just aren’t changing the permissions before attempting an overwrite.

@old_fart – I did everything that you listed. My site is working perfectly fine.

@Richardline – Here’s detailed directions of what I did:

1. Change all passwords

2. Look in EVERY directory and delete the suspicious PHP files as mentioned previously.

3. Look in EVERY directory for a .htaccess file and delete it or overwrite it with your desired .htaccess file. Overwriting will not work unless you first change the file permissions of the infected file to 0644 before overwriting.

4. If you are overwriting your .htaccess files instead of deleting them, be sure to delete all of the hidden code at the top and bottom of each file. A lot of white-space was added to hide the code from you.

5. Add a 404 redirect to your new .htaccess file if you haven’t already done so. I created a 404 page named “example.html” and added this to my .htaccess file(remove the quotes): “ErrorDocument 404 /example.html”

6. Manually test your site to see if it’s working, and also test with https://sitecheck.sucuri.net/scanner/

Let me know if this works for you. My site has been up for 7+ hours since doing these things.

My site is still clean and passing the test( https://sitecheck.sucuri.net/scanner/ ) since I fixed it 6 hours ago.

Has anyone else had any luck with my method?

You’re welcome!

I wish I could tell you what the file name was, but I deleted it the second that I noticed it — it was mostly composed of random numbers.

I’ll post in a few hours to let you know if my site is still clean

BTW, when I say that I added a “404 redirect link”, I mean that I added a line similar to this in my .htaccess file:

ErrorDocument 404 /example-404.html

I registered here so I could help you. I had this exact problem and found this page with Google.

There was a PHP file in my main directory that had a weird file name. I first deleted that and changed my FTP/cPanel passwords. I also had to delete the added crap that was in EVERY .htaccess file within my site — it’s all identical and was probably placed by a bot. There is something at the top and at the very bottom of each file(be sure to scroll ALL the way down).

I noticed that my site was still being redirected and was failing the test on https://sitecheck.sucuri.net so I added a 404 redirect link in my .htaccess file and that fixed it! Let me know if this works for you