Site hacked

Good that you have the database backed up.

I think from other posters here, the recommendation for doing a site restore is to disable plugins. Anyway, here is a suggested ‘path’ to take

1. Stop people from using your site whilst you do the restore and maintenance. I do this with modifying .htaccess as follows (e.g. if your IP address is 72.233.56.139 for example)

At the top of your .htaccess file, add these lines

Options +FollowSymLinks
RewriteEngine on
#
RewriteCond %{REMOTE_ADDR} !^72\.233\.56\.139$
RewriteCond %{REQUEST_URI} !/maintenance_page\.html$
RewriteRule ^([^/]*/)*(([^.]+\.)+(php|s?html?))?$ http://www.example.com/maintenance_page.html [R=302,L]

This assumes you have a file called maintenance_page.html in the public path of your site, with a message like “Sorry, we are closed for maintenance at present”.

2. Do a full backup of the database and every file.

3. Search through the database backup from step 2 for that inoa-seishell.ru’ string (without single quotes of course). There doesn’t seem to be an IP associated with that domain. Record anything you find, etc.

4. Copy all of WP 3.1.3 to your local machine. Copy all of the plugins, etc also, to your local machine. Use a tool like beyond compare to then compare what was on your website, to what is on your local machine. They may have been able to modify some of the files, so this step ‘should’ show up, if there are any modified files.

By the sounds of what is happening, they have added a ‘redirect’ somehow. Hopefully that is all.

5. Let us know if you find anything.

Pete

Hmm, if they have hacked into another site on the same server, then server security may not be as tight as it should be, or they have found a back door from one site on the server, ‘into’ another site on the same sever.

For example, I have SSH/shell access to the server I use, but server security stops any attempt to ‘get’ to another site on the same server.

That said, they simply may have used the same ‘dirty tricks” on 2 sites on the same server.

Step 2 in my instructions should have been step 1 , otherwise .htaccess is not backed up, if you do modify that.

The basis of your investigation is “what have they changed” ? So, runing a good file comparison tool like beyond compare will show up any changes, as long as you download WP 3.1.3 again, and use that as a basis for your compare.

Some of the plugins may have ‘holes’ in them, but if they are popular and lots of downloads, then there would hopefully be less chance of an open door there. Do the compare bit by bit. Beyond compare can even do compares from local to remote (no, I don’t get a commission, lol).

You can also compare your ‘last good db backup’ with the db backup ‘now’, and pickup anything there that sticks out.

pete

I hope you’ve turned registrations off until you get this sorted.

🙂

These 2 may help – My website rdirecting to another site and htaccess file is redirecting my site