I have a weird hacking case with one of my wordpress sites. It's a small site, basically shows 5 blog posts on whether or not the office will be open/closed. It's not too complicated or anything, but it was hacked and now redirects to some spam/malware sites.
Basically the site loads the pages, and after about 3 seconds it redirects. I've checked the header.php, index, footer, and don't see anything obvious, plus they weren't listed as being changed. The other thing that is weird is I ran a linux command to search for files that have been changed in the last 10 days, and the only ones that came back were ones I touched while checking for these redirects and doing :wq with vi. It doesn't seem like anything on the php/backend side is doing this redirect.
It is hosted on a apache linux server. Would there be somewhere else I can check to see if this redirect is being made? If there was something that was causing it in the php files, wouldn't it redirect immediately instead of letting the site load? There isn't an .htaccess and I don't see anything obivous in the apache.conf file.
After doing some digging I found that there is some script injects in all pages. The script redirects to a page where there is some malicious content. However, the wordpress version control does not say that these pages were edited. It doesn't have anything historical that looks like this had happened. Is it possible that something was changed in the wp-admin to inject these scripts in the editor? Or if you make changes to the wordpress database for a page does it not create a new version? Where would I check that? What permissions should my wordpress site have?
Thanks for the help!