Hacked / hijacked?

Recently people visiting my site were getting warning screens appearing from Google informing them that my website (wordpress blog) was hosting malicious content etc or being redirected to a known dodgy site.

I could not find what was causing this and everything I did seemed to have no effect so in the end I blew away my entire site and started again.

Things seemed to come right for a few days and then it started again - I installed Website Defender and it found one of my links was going to a known malicious site (which is odd becuase the link is legit and hosted by Google themselves!) - so i removed the link. Came right again…

Then started again. Website Defender couldnt find any fault with my WP install - a friend advised I should try updating my NS details with my reisgtrar etc, so I did that and it seemed to work.

So I started a subdomain for a family member, and now today, that has started getting the same sort of message.

The site its trying to redirect to is : www.sdex-accord.ru

This issue is doing my head in - Im a computer tech but more hardware than networking so Im starting to get puzzled and frustrated as to whats going on…

Anyone help ?
Please ? :slight_smile:



The damage will most likely be found in your .htaccess file. (make sure your ftp program is set to show invisible files as in the *nix world invisible files being with a . ) Once you are looking at the file you may need to scroll down and/or right. Many times they put a few hundred blank lines into the file to make you think there is nothing else left.

There are a few threads here searched “hacked” or “attack” here in the forum.

And see also: http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites
and http://wiki.dreamhost.com/Security

Also, please contact DreamHost Support if you need assistance — our Security / Abuse team is quite familiar with this sort of issue. They’ve got tools to clean up the redirects, and to find exploits and insecure software which may be installed on your domain.

Thanks guys, will double check the .htaccess and go from there :slight_smile:

The import thing to remember are there two things to do.

1 - clean up the damage
2 - identify and plug the security hole to prevent a repeat attack.

Bingo!!! Thanks Lakerat, you were right, a hidden .htaccess full of trashy sites :slight_smile:
Now removed…

But do you know how the corruption got there to begin with?

Most often it’s an unsecure WP theme and/or plugin…

Well, I updated a theme and a plugin a few days before hand - so was obviously one of those, both are no longer in use.

Pretty similar thing happened to be last week, too. It infected two of my sites and two subdomains. I’ve just come off of four days learning how to deal with this horse hockey… I think it started with a plug in to my Wordpress site, as well.

http://codex.wordpress.org/FAQ_My_site_was_hacked - was the best site to help me out. I’ve since moved my wp-config file, too. Hopefully that’ll keep things clean!

Good luck!