Jamie Edwards

I saw another post somewhere else tonight that mentioned the same thing. I however haven’t seen anything of the sorts, also, i would imagine it would have a similar last modified date as the new corrupted .htaccess file (today’s date). The other post said to look for something with a name of something like ws2043124.php or something like that. I will keep looking ??

Also, thanks Mickey, i have set the permissions to 444, we’ll see if that stops the files from being overwritten ever 30 minutes or so…

Ok, awesome, thanks impackt, I just noticed that I missed something way down at the bottom of the .htaccess file that was giving a 404 error. I have cleaned out everything that I can find that is obvious in the .htaccess file. I have changed my FTP and my cPanel passwords too.

I have looked through every folder looking for any unusually named files, but can’t find any. I will keep looking.

Thanks so much for registering here to help, I appreciate it lots.

Thanks Roy, I had looked at these links before, and have read through them at length. I have been working on this for about 7 hours now, and I am more convinced that it is a problem with my shared hosting environment (1and1) but from what I have seen so far, they are absolutely and completely incompitent, and I would highly reccomend not using them for hosting. I have had nothing but bad experiences time after time with them. Their solution for me that they just sent in an email was to “create a .htaccess file and place it in the root of my site”. So stupid ??

My problem is, if I am to change hosting providers, then my sites are still messed up, i need to figure out how to clean out the malware, and see if 1and1 can plug the holes, or look at the crappy task of moving all my sites over to somewhere else. So lame ??

Ok, so I have been working on this for hours and hours and still no luck. Here is what seems to be happening now:

I picked one of my simple WP installs, one that has is running twenty ten theme, and no plugins running. (its running 3.3.1)

I delete the .htaccess file, but the malicious redirect is still happening, even without an .htaccess file.

When I do a security check at sucuri.net it says:
Malware found on javascript file:
https://ck.jamieedwards.com/404javascript.js
When I look for this file, I can’t find it anywhere, there doesn’t seem to be a 404javascript.js file anywhere?

https://sitecheck.sucuri.net/results/ck.jamieedwards.com

Hmmm, I had seen a security patch for timthumb.php about 6 months ago or so, so i am not sure that is my problem. I am on 1and1, and they are slow to respond, I have been refered to their “security” team who is only there from 9am-5pm ??

I’m thinking this is a FTP hack. I am with 1and1 and am finding the same .htaccess file in most of my folders even non WP sites.

Anyone else here on shared hosting? I am just curious, as I am finding the same .htaccess file in root folders that are not even WP sites.

Wondering if this is a FTP hack rather than a WP hack?
If I delete the file, it gets replace or recreated within 30 minutes or so.

Looks like its running some kind of code that replaces the redirect code in the .htaccess. I cleaned the code out, uploaded the file, but when I re-download the .htaccess the malicious code is back in there ??

Grrrrrr!!!!!! ??

Looks like they got into the .htaccess file, not sure how though. Also, I am not sure if they got into any of the other files too?

If I get rid of the hackers code in the .htaccess file, how do I stop it from coming back? The sites are running the latest version (3.3.1), and all the plugins are updated.

Same thing just happened to me, I am running about 20 WordPress 3.3.1 sites, all of them have been hacked and are redirecting traffic to https://saveprefs.ru/astro/index.php, i really don’t want to have to restore all my sites from older backups. If anyone has a solution on how to get rid of this, I would so very much appreciate it!

Same thing just happened to me, I am running about 20 WordPress 3.3.1 sites, all of them have been hacked and are redirecting traffic to https://saveprefs.ru/astro/index.php, i really don’t want to have to restore all my sites from older backups. If anyone has a solution on how to get rid of this, I would so very much appreciate it!

Thanks

Yes that worked, it must have been something going on with a missing file or something. Thanks very much!

Thank you, I will give that a try and let you know if it worked.