I have replaced the .htaccess file with your suggested code, the site is still redirecting, so I assume it is not the htaccess file?
The mod to the .htaccess file was to stop everyone using your site, except yourself, if you added your IP address to it.
The site will still redirect as there is either ‘code’ in the database, or some of one of your files have been modified. At least with the .htaccess file modified, no further ‘damage’ can be done, and you get to fix things without other traffic.
Ok I have removed the htaccess completely and it’s still redirecting. must be a database hack then. I might delete everything and start from scratch
Try the Exploit Scanner plugin if you can. But if you want to start from scratch, make sure you have at least a full backup (all files and the database).
It would be interesting to compare the files and database, before and after your reload.
Hi Pete – I did a ‘beyond Compare’ last night, and pretty much all the files came up as red (not matching) though I could have missed something
Exploit Scanner still not working, but will give it another try
thanks!
Hmm, are you sure the versions of wordpress were the same ? They might show red if the eof (end of file) markers are different, like I use Linux and eof’s are different to windows. That said, Beyond Compare shoud automatically sort that out.
I just ran a small test, and red is only when the content is different. Click in the middle of the 2 windows in BC, on a file shown in red. The colour showing across both should now be green. use right mouse button , and ‘open with text compare’. It will show you the line/s that are different.
Ok I’ll give Compare another go
I just ran Exploit Scanner (which worked this time) and it’s come up with so many errors I don’t know where you start
base64_decode is flagged a lot
Contacted my server provider who said it was a htaccess file, but I’ve not seen any changes on it, in face I’ve deleted it completely
If you try this Google ..
wordpress base64_decode
lots there, but seems it is an sql injection of sorts. If you have a look at step 1 in this one, notice a redirect. Also, if you can search all your php files for ‘eval(base64_decode’, possibly a few there.
this post is helpful
Most service providers will not admit that their server is not as secure as it can be, and a common ploy is to direct attention to files on your site (like .htaccess).
Had a bit of progress
It seems the key to this is the Exploit Scanner plug-in, when I finally got it to work (the site kept redirecting during scans) it showed the most severe notifications inside the plug-ins folder, mainly the phpMyAdmin plug in.
I have deleted the phpMyAdmin plug-in and so far so good
Possibly a good idea to drop a post in the plug-ins forum, to let people know there is a security risk with the phpMyAdmin plug-in. Doesn’t your web hosting give you phpMyAdmin access ?
i’m not convinced it’s that plug-in yet. I think I found the culprit, a rogue htaccess file in the servers root
Didn’t Exploit Scanner show notifications in the phpMyAdmin plug in ?
When you say the .htaccess file is in the servers root, do you actually mean the root path of your website, or the root path of the server ? (Quite a difference usually).
root path of my server. So it is above all my website’s directories
The .htaccess files they have modified have a load of line-returns, so I didn’t bother noticing the scrollbar.
I’ve deleted the rouge code off the htaccess files, but they get edited again the next day, so the spammers have access to the server, despite me changing the ftp passwords
The ‘WordPress File Monitor’ plug-in has been really handy in notifying me of this, I would highly recommend getting it
As for the exploit scanner, I guess it isn’t as good as I thought. It’s picking up possible threats in the plu-ins that aren’t as severe as I thought. I’ve compared the old plug-in with fresh ones and they match
but they get edited again the next day, so the spammers have access to the server, despite me changing the ftp passwords
You’re getting hacked via other, insecure accounts at the webhost. Nothing will change until that is fixed. Who is your host? What have they said?
See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex and tell your host.
Yep, I’d agree with songdogtech. Your web host needs to find out where the back door is (which other insecure account/s) and actually do something to fix it. Even if other clients who use the same web server have insecure sites that enable back doors, the server security should be such that ‘hackers’ still cannot get to your account.
