You can prove if this is a hack. Copy the actual URL from Google, not the title and paste it here: http://tools.seobook.com/server-header-checker/ Then push Check Headers.
If the checker returns a 200 OK then that link is really on your friends site. You will see an image of the site as additional proof the link exists.
Thread Starter
azda
(@azda)
@wslade
It returned a 200 OK
However I have checked the file structure and the file does not exist in the file structure.
I had already read through the links posted by WPyogi and tried the ideas there.
Does anyone have any thoughts how to find the infected file ?
You said that you read through and tried the links. Did you do anything?
Have you replaced all the the files in the WordPress core, except wp-contents and wp-config.php? Have you replaced the theme and all the plugins? Have you checked the database to determine if it is free of malware?
Also, I’m curious as to why you used index.php hacked as the title for this post. Did you find malware in the index?
Thread Starter
azda
(@azda)
@ wslade
Thanks for your ideas, I will start by looking at how I can replace wordpress core except those two.
I appreciate any other ideas.
Assume I know nothing about wordpress.
Is there any potential for corruption of the database?
Yes, there is the possibility that the database is involved, There are articles in WPyogi’s post about the cleaning a database. I suggest you repair the files first before going to the database.
The hack likely added files that were not previously there and modified files there were there. The bad files can be anywhere in the WordPress core, theme or plugins. I would start with downloading everything in the public_html directory to your PC for safekeeping.
Then delete everything but the files I mentioned earlier and replace them with new ones. It sounds like a lot but the whole process doesn’t take long. Following the steps in one of the posts above and using FTP is the only skill needed.
You didn’t answer my question about why you chose to title the post index.php hack?
Thread Starter
azda
(@azda)
Hi Wslade
I chose the title because only the main page (index page) manifests this porn url when searched on google.
When you do a google search for the other pages, the url of those pages is not affected
Also, this problem is only specific to google. The other search engines do not manifest the porn url
I am working through this slowly as I have a fulltime job and part time student. Here is what we have done so far
1. changed admin password
2. Deleted all plugins and re-installed
3. Changed theme
4. Deleted wp-includes folder and replaced with latest folder from wordpress 4.1.1
5. Deleted wp-admin folder and replaced
6. Replaced the files in the root folder with the ones from the latest wordpress install. (did not replace wp-config)
I have a question on step 6 above. There are some files that existent in our current folder but do not exist in the wordpress install. There are
a. .htaccess
b. wp-register.php
c. wp-pass.php
d. wp-config.php.dnb.wss
Items a,b,c,d above do not have an equivalent in the latest wordpress istall. I am not sure if I should delete them.
Does anyone know why these would exist in our wordpress install but not in wordpress 4.1.1?
I looked at wordpress backups from one year ago and all these files exist. Yet the hack only appeared 2 months ago.
Download the four files to a folder on your PC marked malware. Then delete them from your server. .htaccess, wp-register.php, wp-pass.php are all probably OK. The wp-config.php.dnb.wss is probably malware.
Your WordPress should regenerate a new .htaccass. If it doesn’t get recreated or if your site has issues, look at the file for malware.
Thread Starter
azda
(@azda)
This has proven a really tough nut to crack. I deleted all those files above including .htaccess which I replaced with an older version from a year ago.
I have gone through the various issues proposed in the sites above including trying to use site scanners like sucuri.
The only possibility now is the database or the wp-contents folder.
Any thoughts on what else I can do?
Only server side scanners will find the hard to find files and backdoors. If you are not using the paid version of sucuri, you are not using a server side scanner.
I suggest you use Wordfence. Before you run a scan go to Wordfence > Options > Scans to include > select ALL the boxes in this section – these setting are important and then scan.
If that doesn’t find anything then load WP Antivirus Site Protection (by SiteGuarding.com) and or Anti-Malware from GOTMLS.NET. The free versions both will do fine for you. One will nag for a donation and the other about upgrading to pro but both will still work. There is nothing to loose from loading both of these scanners.
Some of these will give you a little help with checking the database. All three will check wp-contents.
There is also the possibility you missed a file like those you removed. It can happen to anyone. I delete and reload new again if I still have issues. It’s a lot faster to delete and reload than to look through all the files for one or two bad ones.
Good luck.
