If you have been keeping up, I have been posting about ongoing hacks and injections that have hit several of our client websites. Well, we have another to add to the list and hope this information helps you clean up your site as well.
URL BEING INJECTED: http://www.hcifx.com/troyengelhardt/index1261.php
Yes, Troy Engelhardt a designer in Indiana, owner of hcifx.com. Why his domain and name are in my website left by a hacker is unknown to me. Did he do it? I do not know. Was he attacked as well? I do not know. None of that matters right now (although we will be investigating this matter future). What matters right now is getting your site cleaned so that you can get relisted in Google and fast.
Visit your cPanel or Hespia CP and access your database. If you have a ton of sites on your account, you can find the name of your database in the wp-config file within your WordPress website.
Always back up your website and/or database before you work on them. In this case, back up your database first.
Once your phpmyadmin loads your database, click on your database name in the left frame. All of your tables will load on the right side. Click on “Search” at the top. You will start by searching for hcifx.
You will want to search all tables. Press “go” (bottom right).
Once your results appear, if you are like me, you will quickly see where the results are. I had 453 instances. Next to the table it will say “Browse” or “Delete”. I would not recommend deleting this search result. What you will need to do is repeat the search but this time put in the WHOLE string as it appears in your website source code. Once you complete the second search, go ahead and press “Delete” next to the results. NOTE: You may want to “Browse” first to make sure that the results do not include any of your legitimate posts or pages.