peosteve

It’s a Window server, so there isn’t an htaccess file. ?? I’m guessing those files in cache referenced it, but who knows. Looks like the issue is gone, so I’m happy. ??

Thanks for all the info about grep and for your suggestions!

perezbox, thanks for letting me know. I thought it was weird, but figured if there only a bunch of IP addresses in it, it couldn’t do much on its own…

what does that grep… command actually do?

Nami15, still check the cache directory first for suspect entries…and if there’s nothing there, or it’s all normal, follow perezbox.

Nami115, my site was compromised to. I looked through my whole file structure and identified a few files in the cache directory as being suspicious. I’ve changed the names of those files, to see what happens, and while it’s possible that the cache files are not the backdoor, they certainly look like they’re up to no good.

Cache can be found here: /wp-content/themes/yourtheme/cache

You should be able to remove all the cache files without issue, but I renamed them to see if I got it right. There was also a suspicious file in the root that was created today and just had a bunch of IP addresses in it. Not sure what that’s all about… will report back if this fix doesn’t work.