It sounds like you have a hidden script running to re-generate the hack. There are three ways of solving this problem but as in all hacked sites the emphasis is to get it up and running asap. (So I\’ll try to keep it short)
As advised, change your FTP password and again after you have finished - you could even suspend your site and only allow your IP address until fixed.
To work out the problem, grab yourself a nice cup of tea and.... Relax, it\’s going to take 30mins to an hour to sort out!!
Ah.. That\’s better, now where to begin.
You will need to look at the whole file structure, a pain in the backside, but the more often you do this the more familiar you\’ll become.
1. I would look into the following files, malicious scripts hide by disguising themselves as genuine code especially google code. This is well documented and just about everywhere on the tinternet.
Files to check straight away: .htaccess, index.php, header and footer files - just about any file that is called on the majority of pages. (oscommerce hacks affected the application-top and includes files so I wouldn\’t overlook this for magento)
Look at the following folders: media/images, js. - rogue html and php files are hidden in here - there maybe a way setting this folder which disables the running of scripts (I have done it with oscommerce). Within these large files you will find URL for lots of sites that have nothing to do with you.
Check for files that have google validation references in the title and end with .php (in the root directory) loose files, careful you may have a genuine file or too in here.
Look for files with strange names that don\’t seem to fit in. ie. blue.php, calc.php etc. and take a look at the code, if it\’s very different to magento\’s usual structure it\’s probably malicious.
Great! I have removed all the files and code, now what!
Re-set file permissions with magento-cleanup.php (as previously suggested)
Change your FTP password again
2. Now we have to get google to remove the Trust screen when visiting your site - (That\’s not good what will our customers think / Bugger!!! I didn\’t stop adwords - urls not working ads now disproved… and on and on).
Once you are happy that you have removed all the code and malicious files, go to your website and click the link to re-submit your site to google for checking - it will take you off to a different page where you have to indicate that you have checked the site etc. and press submit - about an hour later wheyhey the sites live.
3. Backup everything:- Database and Site (Cause we\’re not going to get caught out again).
3b. Check your code again and keep checking it over a 48hr period - Now you know what you are looking for! If the malware returns within this period you will know you didn\’t get rid of all the code and files in the first place.
3c. In future - Routinely check your file structure and set up a log for all access and changes made to the root folder.
Now, go and get your tackle out here… http://www.ukfishingandcamping.com