Unwanted redirection to .ru domain

@neotechnomad I’ve only quttera plugin. What plugin do you recommend to me?

@tdnp I’ve cheched .htaccess and nothing suspicios there… Also, I can’t find suspicios php files

@bobnwp Strong passwords here…

All: I think attack came with Old Revslider plugin some months ago…

Thanks

@dabezt

I don’t know your server environment or else, but basically a good security policy on web server comes from:

– if you have access, a root user of OS that you only use once (or as less as possible)
– again if access, several levels of admins to touch only several folders (in case of wordpress, chmod but only for given folders & subfolders)
– even in that case, a “wordpress user” can’t output, only write some folders by a given key (with openshift red hat linux for example, any user must be double checked by i/o passphrase, a bit like PGP encryption)
– and this way, even if server if utterly not very secure, the cascade of rights makes it pratically unbreakable by cascading rights.
– after, like i said if webserver (apache, nginx so on is at the first step not controlled a bit with ports i/o, you’re running an ever-ending passhole that WordPress can only follow – it’s not its business the business of WordPress is a CMS).

Not sure if Old plugin was the source, do you have origin of attack and traced in logs?

hope this helps,

I’ve only quttera plugin. What plugin do you recommend to me?

Though I do not endorse one plugin over other plugins, Sucuri Security, is what I use on the client sites I administer. It has to be configured, but it has a good malware scanner and hardening options, plus an option to use their online scanner. You could try it and see.

Have you looked throughout all files above the root, or in the cgi-bin or htpasswds files in the root, to see if something is hidden there?

Though considering what you have gone through here, and I know it sounds drastic, but it may be better to drop your db and wipe everything out and begin afresh. For all you know, it could be within an image somewhere written with steganography.

I’m sorry to say this not a good idea, if your webserver is fleeing from left, you won’t make a patch on the right.

Not that I underestimate the value of any security plugin, the first steps are on the server. I wonder how dropping the database, can help in any way? A database can’t contain any form of executable by design. At worst, a nyancat on a jpeg if coder is dumb enough to store images inside ??

I apologize for nyan cats jpegs, which are nice but statiscally contains a lot of malware directly inside, or with attached dumb work powerpoints or so ??

@Digico Paris…

Though I agree with you, considering that most of the obvious options, such as what you and Jan Dembowski provided, have been investigated, I was merely trying to consider options outside of the norm, trying a bit of lateral thinking.

@neotechnomad

Was just trying a little black humour, sorry.

Yes, lateral thinking is often what makes biggest innovations (1 more sentence and I quote Schumpeter).

@Digico Paris…

No need to apologise. ??
Dumping the db and starting over is a last-resort, though I must admit, I am out of ideas.

?? mmm it’s your issue too?
Well, i guess we all missed something overall, something too simple to think at first sight?

Do you use a VPS/dedicated server or shared host?

Thanks all for your help… I apreciate all the instructions or recomendations to don’t get infected again or all the instructions to rebuild the site, restore it, etc…

but what I’m looking for is to find where the malware code is right now. I’ve searched (with grep, etc) in all ‘text’ files (php, js, html, css, etc.) and I don’t find the malware code (I’ve put the malware code in my first post here).

BTW: I’ve the site into a shared host, but I’ve 2 or 3 sites in the same hosting package, and only 1 is infected.

Thanks.