Your site has almost certainly been hacked. Search on "remove malware from website" and you should find some good advice.
No doubt your server has been hacked - and they installed a hidden file on the server that keeps overwriting the files when you try to fix them. This kind of hack has now been around for several years and the coders (criminals) have become way too sophisticated.
I just recently struggled with a similar "parasite content" hack and because the client had sub-standard hosting support, IMO - the only practical fix we could put together was to migrate their site to another web host.
This is also a reason I tell people don't use shared hosting if you can avoid it. No matter how good the hosting is, any customer that doesn't know what they're doing, which is the majority, can allow the server to be compromised by running outdated software that has known vulnerabilities.
I found a host a couple of years ago that had 50% of their shared hosting clients index pages infected on at least 20 servers that I tested. It was nearly a thousand domains involved, maybe more.
Bottom line, even if you clean up your account it can get infected over and over if you remain on that server so I agree with Tedster that moving to a new host is probably the best strategy.
The other possibility is your local machine, that's what happened to me a couple of years ago when somehow mine got infected with a keylogger script. So, besides getting in touch with your host be sure to scrub your local machine with AV and anti-malware programs.
|Most importantly, how do I stop this dead in its tracks? Any help would be severely appreciated. |
Any chance you're using Plesk? If yes you need to change ALL passwords. More info: [kb.parallels.com...]
You need to go through your logs, see which files they did modify, either htaccess, php and html files.
It looks like you're using AJAX to generate the content, look in php & js files for code surrounded by c3284d.
More info here too: [stopmalvertising.com...]
Thank you for your thinking on the matter. This was indeed something that drove me insane; however for now I have changed all possible passwords and so far it seems to be working, which makes me think that somehow somebody's rubbish stole my passwords and automatically re-uploaded versions of my website with the code in it. Now they don't have the passwords anymore they can't quite do it.
Please write your senate that we, the people, would like to have the death penalty instated for creators of malware.
You're welcome. :) It is a password issue indeed.
Just a quick question if you don't mind. Any chance that you're using Filezilla? And if yes, did you have malware on the PC recently?
Thanks for your time.
I did use Filezilla up until a few weeks ago, but just took a wild guess at some point that if the file uploaded is different than the original on my computer, it could be the FTP software that is rewriting it right before uploading it, so I uninstalled Filezilla and now use Coffee cup.
Coffee cup doens't seem to upload all the pictures correctly unfortunately, but the text files are uploaded right. Haven't had problems of files uploaded being different than the originals as far as I can make out. Hopefully it won't start later.
I don't believe that Filezilla can be bad !
The server has just been hacked, nothing else to look at.
Some hacks may take a while to be implemented..no rush ..
re ..filezilla "vanilla" problems..
( there are many more threads and posts here and elsewhere on the net about filezilla vulnerabilities )
Perfectly possible that the hacker knew how to get in for quite some time..and merely waited until they felt the moment was propitious..
When I did mention FileZilla I was refereing to the fact that passwords are stored in plain text and Filezilla among others is a target by malware. The malware steals the creditials and uploads them to a remote C&C server. That's one of the reasons why websites get hacked.
The latest version of ProFTPD still is vulnerable to the "Roaring Beast" root exploit, meaning this is a possible vector too for the infections. Note that Plesk Panels contains a copy of ProFTPD.