someone probably hacked my wordpress blog and now all links to next page include link to RFI script, which is not on the website anymore though. the url is like /page/2/?error=http://RFI the whole thing does nothing, but it annoys me and my visitors. i am quite skilled with linux and wordpress, spent hours searching for it. its my own dedicated server. i was unable to locate and remove it, even after running search for iframe, eval and base64_encode which is often used by hackers. all i need is to remove this so it doesnt appear in the url. i am looking for linux / security EXPERT, not any newbie. its running on centos with DA. i will pay the guy if he suceeds to remove it.
let me give you a hint... do these steps: *download a backup of your site *download and use editplus (open all the files with it) *do a search for "http://RFI" (it should search all open documents) *find and edit the link
Look for any include files that are adding anything that looks like 'RFI' into code that generates links. Especially in your theme. Or PM me and I will see if I can fix it.
i searched the whole server for that url with find/grep but its nowhere to be found - its probably somehow encoded. i installed like 3 security plugins but these didnt find anything either. i uploaded a clean version of wordpress and it didnt help. so weird.
If you re-installed Wordpress, and it's still happening, that means it is in the database. As another poster mentioned, take a peek at the wp_posts field, and in general, for anything that might be out of place.
i even did complete server update - "yum update" and also compiled a new version of apache and php. and it still happens. i checked the database for base64 and eval and found nothing suspicious. this is driving me nuts.
If you'd like, I can take a look at it for you. If you'll provide me with a link etc, I'll be glad to help you out.
i hired someone at odesk and he fixed it. it was probably bot spamming the site, wordpress then randomly. propagated the url on all pages.