Several of my sites have been hacked, with an injection of base 64-encoded php that redirects incoming search traffic.
Don’t know how this got in, maybe an out-of-date wordpress installation, or maybe the recent hack? Anyway.
I’m going about restoring things, but I had a few questions, and would appreciate any feedback, as I’m not an expert on some of this stuff.
My plan is to delete everything from dreamhost’s servers, and rebuild from backups that I’m sure are clean of any malware – so far I’ve only found suspicious code in php files. Should I be looking anywhere else?
I am trying to access my log files, but the permissions seem to have been changed to 755, and I can’t open them… how can I open & backup these files?
I created a new ftp/shell user earlier today for all sites, but when I try and log into via ssh, I keep getting booted. Could this be related, or am I doing something wrong? Have checked and doublechecked username and pw – can log in via ftp but not the shell. (Using coda on OS X.)
Needless to say, this sucks I have 4 businesses websites that are effectively down, and I’m trying to get this sorted ASAP…
Any help would be greatly appreciated…