0

Possible Duplicate:
My server's been hacked EMERGENCY

We've usually host our clients site, but we aren't hosting this one. The website itself (weddle-funeral.com) works just fine. if you load google and search for weddle funeral stayton oregon - and click that link, the site links to a scammy pill site.

I went through the site and there were some php files in the wordpress plugins that got quarantined by my antivirus.

I removed ALL non essential files, and uploaded fresh versions of all the plugins, but it's STILL redirecting from google.

I tried logging in to the cpanel (on a virtual private server), and the cpanel flashed a red warning screen

The site's security certificate is not trusted! You attempted to reach XXXXX.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.

(Keep in mind, that's for the HOSTING accounts CPanel)

Is there something in the SERVER probably that's causing the redirect?

EDIT: .htaccess file contents

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
Community
  • 1
Xhynk
  • 101
  • 3
  • 1
    Did you check for changes to the .htaccess file? I wouldn't worry about the security warning as most shared hosts use self-signed SSL certs which cause this. – j08691 Sep 21 '12 at 20:38
  • 1
    The .htaccess file seems to be just the standard wordpress .htaccess - added as a note to the question above –  Sep 21 '12 at 20:40
  • When you said "I removed ALL non essential files, and uploaded fresh versions of all the plugins" does that include your theme(s) too? – j08691 Sep 21 '12 at 20:43
  • Yes - All the extra themes (twentyeleven/ten) have been removed, and the necessary files have been reuploaded from a fresh version –  Sep 21 '12 at 20:46
  • and a fresh 'reinstallation' of the newest WordPress –  Sep 21 '12 at 20:48

1 Answers1

2

This isn't a ton of insight, but this looks like a variation of the Wordpress Pharma Hack, which provides different content to the googlebot. In this case, the malicious code on your site seems to be detecting google as a referrer, and providing alternate content to the visitor. Basically, your site is compromised, and you'll need to sanitize it (I'm not an expert in that, but I imagine it would involve reinstalling core & plugins from source, and picking through the DB with a fine-toothed comb).

If your Cpanel cert is bad, then that would be a possible vulnerability to compromise your hosting account.

  • Not just reinstalling... *deleting* and reinstalling. The files for this stuff can be separate scripts that can be used to access the host ("remote admin" / "file manager" scripts etc) and even reattach the bad stuff to WP proper. – cHao Sep 21 '12 at 20:56