Site hacked, but can't find the code
-
Discovered some really odd words ranking for us in WMT. Looked further and found pages like this www.pdnseek.com/wll/canadian-24-hour-pharmacy. When you click it it redirects to the home page. The developers can't find /wll anywhere on the site. The pages are indexed and cached.
Looked at the back links in moz and found many backlinks to our site from other sites using URLs like this. The host says there is nothing on the server, but where else could it be. We've run virus scans, nothing, looked through source code, nothing.
Anyone with some idea? www.pdnseek.com is the URL
-
This search gives you a pretty substantial list of them as well: https://encrypted.google.com/search?hl=en&q=site%3Apdnseek.com%20inurl%3Awll. Running off of the first one it looks like the 301 redirect is also pinging your XMLRPC and likely a consequence of being hacked through that file in your Wordpress implementation: http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html. You'll want to update and tighten up your Wordpress install, create an admin that's not named 'admin', and noindex the /wll/ location.
See also: http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/
-
It looks like your hosting provider may have cleaned this up already for you. It may be worth checking with them.
I'd also dig into your .htaccess, make sure it's exactly what you expect. Since these don't seem to be live I'd update your sitemap, check what URLs are in there, and resubmit that sitemap to WMT so they stop seeing those URLs as well.
-
use sucuri.net to do a full website scan and see if it's still infected (and where it's infected). the scan if totally free.
-
05107
-
08209
-
07324
-
03338
-
05408
-
04271
-
02280
