Hello all - I am brand new to the forums.
I recently got hacked and I am trying to remove the intrusion entirely.
I check the forums and got a response from ticketing with DreamHost and they suggested making new users so one website couldn't infect the rest of them.
I made a new user on dreamhost and made it a SFTP user, since I heard this was more secure. After the user was active, I edited the user for my WP site and changed it to the new one.
The website comes up, but certain things are not working at all like images that were uploaded to WP. The images that are uploaded directly to the directory are working fine.
How can I fix this?
Also, am I on the right track towards fixing the malware problem?
Here is my site but BEWARE! It currently is injected with Malware - www.slimtrimspa.com
I just created a testftp user to see if I would have the same problem. Same problem.
The problem was not switching from an FTP user to a SFTP user - just switching to a new user.
Great progress! I created a new user on DreamHost as SFTP, then I took one of my HTML sites (not Wordpress) and switched it over to the new SFTP user.
Everything worked fine, as I expected. I decided to take a look at the source codes for the HTML files and some of the PHP files as well.
The HACK embeds a line in my HTML and PHP pages starting with the string "eval(base 64". I could not find this string this time, but I did find one in my index.html that started with "eval(function(p,a,c,k,e,d)", but I did not find it anywhere else except index.html, so I deleted that script.
What this means for me?
This intrusion is not as malicious as I thought, because it isn't injecting EVERY HTML and PHP file.
My domains can not be re-injected if I set them up under their own SFTP user account.
MAKING PROGRESS! =D