Hi,
Good to hear you at least found a symptom of the hack. That’s a good first step.
1. Next, I recommend you contact your web host.
If your web host maintains daily and weekly backups, hopefully they will be able to recover your website from prior to this event.
Once they do so, you’ll want to make sure all of your passwords are changed and likewise ensure all scripts on your site are updated.
2. Web host has no back-ups
Ok, so your web host has no backups (which is pretty much criminal in the hosting biz). If this is the case, you’ll need to log into your website via FTP and start looking around for newly dated files, then work to remove any hacker code you find in them.
3. After action?
Well, once you clean things up it’s time to start looking at future solutions. Proactive security is your friend.
_x_ Check your scripts for version updates at least once a month.
_x_ Only host with a web host who maintains “weekly” backups and who does not charge for backup recovery.
_x_ Install Bulletproof Security and File Monitor Plus so you’ll know when changes are made to your website (and it’s free).
_x_ Change your WordPress admin pass and FTP pass at least quarterly (mark your calendar).
So these are the basics. You can do a lot more by only hosting with web hosts who make security their top priority (i.e., discuss security on their home page, etc.).
Otherwise, I hope all goes well with you.
Also, see the usual malware clearing how-to links:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
http://www.unmaskparasites.com/
I appreciate your quick response to my issue. I will check on all of the above. I do have one extra issue. I have no idea when this happened as we started to hear about it a few days ago, but since I always typed the url in my browser we did not figure out the issue until today. Is there a way within a log file or something that I can check to see when this issue came about? Then I will be able to figure out which date of backups I should import.
Ok, one trick here is to log into your File Manager or FTP software and sort the date column, so you can see the last modified date.
That should tell you the last time the files were modified and give you a last date/time when the hacker did their worst.
If you do a quick cruise through the code, I bet you’ll find some malicious code inside your PHP tags that checks for search engine referrals and then sends you to a site that downloads and installs an Exploit Pack.
Google the crap out of all of that, and hopefully you’ll find newer and better fixes than mine (which you should find too).
Good luck to you. Don’t forget to change ALL those passwords and keep an eye on the site’s code!
Thanks for all the replies & help. My hack issue is now resolved & all is back to normal.
