Conditional redirect code injected in wordpress

Hi there!

I have a few wordpress sites in my hosting account. Some of the got hacked, some not. Basically, two of them are hacked frequently. At one of them I see that there are attempt to login as admin.

I have changed the server pass, ftp pass, mysql pass but the problem is still there. How can I find out how they get in? Please help!

 

Probably some backdoor in the theme or poorly configured server.

 

Try installing a WordPress plugin called "TimThumb Vulnerability Scanner" and running a scan. If it comes up with outdated TimThumb code, it gives you the option to patch it.

You may also want to have your web host take a look at your account(s), as they should be able to quickly identify anything that looks out of place, such as shell scripts or an .htaccess file with malicious redirects.

 

You may find backdoors by several ways:
1) get last modofication time of infected file and find this exact date-time in http logs. You should find a query to some file/script which was used to infect files.
2) check your HTTP logs for POST queries to some strange scripts.
3) search for most popular webshell functions in php files: base4_decode(), eval(), preg_replace() ..
4) search for recently modified files
check logs of all websites at the same server or account.

this guide may help: evuln.com/hacked/redirect.html