Last Friday, our demo server was blacklisted by Google. I came to know about it, when one of our potential customer reported that our template demo site was showing a red warning on Google Chrome. I was like, WTF ?
Well, I started investigating and deleted all the extra FTP accounts, changed all the passwords. Found that, the .htaccess files on all the folders had a weird redirect code to some bloody russian website. Slowly I found that, all of the folders had this file. I started deleting them and it took an hour to clean it up. Then after few hours, I found the same .htaccess files were again at the same location. I was sure, the hackers must have placed some backdoor file, which is doing this nuisance. Since, this server had more than 85 Joomla websites, it was absolutely impossible for us to start checking each file one by one to find the infected file.
First of all, we upgraded all the websites to the latest Joomla version and then started checking again. The .htaccess files were still getting created.
Finally, what I did was, downloaded the access.log for the server. I found a lot of continuous POST commands from Mozilla PC user agent. Damn, I knew this was it, since I use mac full-time!
There was one file which had a long encoded code and this file location was in such a location, which even my grand children would have skipped it. Phew!
Deleted it and we are good now.