MichaelBluejay - 12:44 am on Sep 23, 2012 (gmt 0) [edited by: Andy_Langton at 10:43 am (utc) on Sep 23, 2012]
Okay, I took a closer look, and I did find evidence of a hack. But it's still far from clear to me exactly what's going on.
* My home page is "index.html", but I found the file "lndex.php" on my server, that I didn't put there. The first character is a lowercase "L", not a capital "i". I have no idea what this naming scheme accomplishes.
* Opening the file, it's the same as my real home page, except for the following code inserted at the very top, which I don't know how to decode.
* The modification date of the rogue lndex.php file is May 3, 2005. But the contents of the file are from Nov. 2011, the last time I edited my index.html. Did I get hacked seven years ago or recently? If recently, the hackers went to the trouble of changing the filedate on the server?!
* Andy has done a lot of research on this for me behind the scenes. (Thanks!) One thing he found was that my site is serving a weird cookie, which likely is used to determine who gets the real site and who gets redirected, which could explain why I haven't been redirected after my initial click in the Google U.K. SERPs.
* Knowing that I got hacked, I took the following precautions:
-- Moved "lndex.php" above the wespace
-- Changed the passwords for my shell access, root access, and web panel access.
-- Will notify my webhost.
(1) What does the inserted code do?
(2) Did the attack likely happen seven years ago or recently, and if recently, they actually changed the filedate?
(3) How do they get Google to see the "lndex.php" file as the main file for the site?
(4) What more security steps should I take, if any?
[edit reason] fix horizontal scroll via linebreaks, snipped code [/edit]
[edited by: Andy_Langton at 10:43 am (utc) on Sep 23, 2012]