WordPress Site Redirects To Porn On iPad

Did you follow all of these steps?
https://codex.www.ads-software.com/FAQ_My_site_was_hacked

I deloused a system last week that had this particular infection. It seemed to restrict itself to files inside wp-content/ other than the wp-config.php file. It was attracted to many files named index.php as well as several theme and plugin files

I noticed that the infected files were all over 24K in size so I ran the linux find command to find files over that size and piped the resulting files to less, ignoring image files:

find . -type f -name "*.php" \( ! -name "*.png" -a ! -name "*.jpg" -a ! -name "*.mo" \) -size +24k -exec less {} \;

I ran a few variations on the file extension just to be sure.

I also found the files with the name “.. ” which you could easily miss. Again I used find to find them ??

find . -type f -name ".. "

I also ran diff checks over themes, plugins and core files to see if there were any changes anywhere else.

@mark (podz) Thanks, I will have a look at those points…

@dave Naylor you are right there, I forgot about the file “..” in the root and I have found the php code not only on the wp installation too… how you have clean it?.. just deleting the line 1 of the file infected?… Have you found any backdoor or the main source?

I replaced any files I found with clean originals. I also replaced every WordPress core file and re-did the wp-config files.

As for the “.. ” files, note the space at the third character.

@robnilas: What is the site in case? Can you send it over (even if in private)? I would love to take a look and see why our sitecheck scanner missed it.

thanks,

@daniel to protect the client id I have send you a private msg to your username…

@dave THANKS for the help!! I have done most of that, but I was missing the “re-did the wp-config” …