One of our WordPress websites running on an Apache server was recently hacked via PHP injection.
The hackers installed hundreds of URLs that redirected to an external eCommerce that sold watches; the URLs were of the form http://www.example.com/eta.php?some_file.html; for example: http://www.example.com/eta.php?Jewellery-Watches-Others-c138-4.html.
We think we have deleted all infected PHP code. However, the hacked URLs, rather than returning 404, now do a 301 redirect to http://www.example.com/?some_file.html (that is, the same URL without the eta.php part), and finally show the website homepage, returning code 200. Please note that my .htaccess file seems to be perfectly clean.
Where is this phantom redirect coming from?
I would be very grateful to anybody that could help me understand what’s going on. I am worried that we did not completely wiped out the hack.
Thank you for your attention!
FURTHER DETAILS
The file eta.php is nowhere to be found on the server. Replacing eta.php with a random file (ex. ate.php) in the hacked URLs yields a 404 code as expected.
In the end I managed to force the hacked URLs to return 404 using the following .htaccess rule:
RewriteCond %{THE_REQUEST} /eta.php
RewriteRule ^(.*)$ - [R=404,L,NC]
Interestingly enough, this other rule did not work, as if the hack was somehow messing up with %{REQUEST_URI}:
RewriteCond %{REQUEST_URI} ^/eta.php [NC]
RewriteRule (.*) - [R=404,L]
One good thing is to you backup MySQL database and open in notepad. Find all links and delete. After that save .sql file and upload back to see.
Also look where is inserted javascript/iframe inside your HTML file via source code and find if exist in database and delete.
Also reinstall wordpress instalation, reinstall plugins and template (replace all files with new files).
That is way how I save many sites.
Also can do things what @vard write inyour comment.