First, please don’t link directly to malware scripts – one never knows what might happen when clicking on them, and if you post a link, sure enough someone will click on it.
Second, that type of attack is usually too sneaky to be found in the places you’ve looked…..try searching through your site’s folders using your FTP program – start with the wp-content/uploads folder first (a most common place for injected files) but many often come in through holes in plugins, such as those that allow uploaded files (sometimes in forms plugins) or images (such as slider or other image handling plugins) so be sure to check through all of the sub-folders of all of your plugins. Sometimes they will even hide in ‘images’ folders of plugins.
Good luck!
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
First, please don’t link directly to malware scripts
Fixed.
Please remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
I have the same problem.
Yet I found out, the link is in the SQL database. I tried to delete this part in a Texteditor, but it didn’t work.
I deleted all plugins – looked like fixed.
After reinstalling the “Fancybox for WordPress” this porn site was there again.
Do you use “Fancybox for WordPress” too?
imssimi,
I try Yours way and I have this same: when I’ve turned off “Fancybox for WordPress” redirect disappeared. Thanks for the tip!
Today I downloaded the sql database again and there is still a rest of the hack there. I have no resolution for this. I’m not really a crack in stuff like this…. Maybe we get some info’s at this page in the next days:
https://blog.sucuri.net/?s=Fancybox-for-WordPress+
Just that you guys know it’s not made all with this tip. 🙁
Just “de-hacked” a website using bmoar.com/ss.js
You need to search the database with bmoar.com, it’ll tell you it’s in options.
Delete the whole row (key + data).
Go to fancybox settings and reset default settings. you should be back to normal.
Do use a plugin such as wordfence to ban brute-force login attempts. (I set it at 5 max attempts with 60 days ban)
Hope it helps