Probably a silly question, but did you check for additional files which shouldn’t be there? I had three (static html) sites hacked some time ago. Two had additional directories uploaded and one had files added to the cgi directory, which should have been empty.
They are backed up daily for one week. I do not do them manually, but rely on the hosts (eleven2.com) backups. I wish they would do up to a month.
Yeah nothing funny going on with the .htaccess files… I thought that could be the cause as well.
Yup nothing there. I have been hacked before in a similar fashion where it created a lot of directories in my upload folder. But can’t find anything on this install 
On the cencis pizza site I can see signs of infection on a mobile - there isn’t a redirection but there is an advert link overlaid over the site by a company called mobiteasy. Googling around showed up this which indicates the kind of virus involved, and why it’s probably not shown up in the cursory attempts by your hosting company to locate infection.
EastCoast… Thank you I just read that link you posted, although I am not using the "OptimizePress " plugin. So I am not quite sure that is the source of the “infection”
Also… can you tell me how you came to the conclusion that mobiteasy is on the site? I can’t see it. Thanks again!
Loaded up the site on an android mobile, all that gets displayed is a white page with one link (a mobiteasy url that I didn’t follow). It could be any number of plugins, or themes. I’d download all your online content then do a search through the source of all files (whatever the extension is, as it could be hidden inside e.g an image and loaded by another script as code) for strings of potentially harmful php functions such as fopen , base64_decode, eval etc
I just downloaded a fresh copy of wordpress to search for those php functions, and it looks like many of them already exist within the core wordpress php. Going to try and compare files to see if anything fishy is going on.
FINALLY figured it out!!
Will post details in a bit here once I fix the issue.
One of the site I’m working on has this problem… I’d love to know if you solved the redirect issue.
I did… will post details this afternoon. Took quite a bit of time to get rid of the malicious code.
What type of site is it happening on? WP?
Here is the solution
So basically what you want to search for in your code is the ‘str_replace(’ function. It will be obvious in your search which files are infected, as there are several hundred encrypted characters side by side in your file.
Check out the attached screenshot. What made this tricky is the beginning of the code starts with <?php , but then has about 1000 blank spaces before the malicious code starts (sneaky *******s). What also made this tricky is the timestamp on the files shows up as unchanged, so they do not look suspect just by viewing them via ftp. It seemed to infect all of my files named index.php, header.php, and functions.php. As well as some various other files. The code is isolated to the very first line of code in all the files.
Hope someone else may find this helpful.
I’m on free hosting at the moment, but if I ever go back to advanced hosting, and if I get hacked, I could find this helpful. Although I think I already knew that even if something doesn’t slightly look right, you know right off the bat that something fishy is going on and should be looked into, but I will definitely keep this in mind.
Ideally you’d still find out how the infection occurred, or else there’s nothing to stop it happening again - you’ve fixed the end result, but not the point of access. Remember and change all your passwords used to access your hosting account.
I did change all cpanel/FTP/Wordpress passwords. I also updated all plugins/themes to current. So hoping that will do the trick.
Hi,
My name is Matthew and I work for BaDoink.com.
I am sorry to learn that you encountered this issue, but I’m glad that a fix was found.
In the future, if you run into a similar problem, or anyone here does for that matter, please contact us directly and immediately.
We are a big brand in adult. We run a popular affiliate program. Unfortunately, some affiliates, in violation of our Terms of Service, employ malicious tactics to promote our brand.
We’ve an affiliate management team in house tasked with policing all affiliate activity. When an affiliate attempts to promote us in an unlawful manner, or in a manner that violates our terms, we terminate his or her affiliation immediately.
If you come across this issue again, please get in touch with us at [noparse]http://www.badoink.com/support/[/noparse] and we will be able to locate the affiliate and terminate them from our program.
Thanks in advance, and apologies for the inconvenience,
Matthew
Have a website being randomly redirected to nudity sites only when accessed through cell phones (I believe only with iPhone).
This is the link to Optimizepress to locate the corrupted files
https://optimizepress.zendesk.com/hc/en-us/articles/201428836-I-see-strange-ads-or-codes-on-my-site-and-I-think-I-might-have-been-hacked-What-do-I-do-
Thanks everyone. All problems have been solved, patched, answered.
Thread Closed