You are describing a classic hack. I am sorry to hear your client’s site is damaged. Do you or the hosting company have a full backup for the site? The fastest and most sure way to repair the site is to restore from a backup made before the hack.
Without a backup your only permanent solution is to repair the site. Follow this guide.
When you’re done, you may want to implement some (if not all) of the recommended security measures.
Hi there,
Thanks for your suggestions. I think I have been hacked at the server level or something is being injected. I followed many of these steps and nothing has helped. It’s definitely not coming from any other plugin to say the least. If I was better with Chrome Dev tools I would check the load order of scripts to try to determine which one this is coming from! Just trying to find tutorials on how to do just that is also very difficult though.
If anyone has crazy good skills at load orders can you try and see where the malicious code on this page is loading ‘from’ ?
http://www.socialmediaminder.com/fastactionbootcamp
The malicious code typically sits just above the YouTube video, however, on refreshes of the site it may disappear – if you clear cache and refresh, it will pop back up. I can verify that it is not a plugin conflict as I have deactivated all plugins and it still shows up. I have also searched the db and it is nowhere in there either. My only other thought is that it must be being injected from somewhere – I just kind of suck at troubleshooting in Chrome Developer tools / Firebug to figure out ‘where’ and ‘when’ it’s exactly getting inserted.
Any help is appreciated!
I understand your logic of tracking down the result and then working backwards. Unfortunately, hacks do not work in a logical order. You have had malware added to an existing file or files and likely have had new files added that contain nothing but malware.
It’s important to delete all the suggested items in the guide. This gets rid of all the files that shouldn’t be there. Then when you load new files, it will overwrite any malware that has been added to theme, plugin or core file.
There also a possibility that the database is involved. Cleaning it is described in the guide as well.
