It all started when I tried to show my friends a javascript file I had put together with Three.js; it was nothing much, just loading a model and putting it on a grid. It worked on my local machine, but not on the remote - it said something about “unexpected character.” After putting a question on Stack Overflow and getting no satisfactory answers, I took a look at what the javascript file was actually getting back from the server when it was trying to load the model. It was a single line:
hacked by hacker
How embarassing.
Site’s obviously back up now. The three things that I had to do were:
1.) Replace the “index.html” and “index.php” files with the default ones from the core wordpress install (I actually overwrote everything, just in case)
2.) Change the line in the htaccess that was redirecting a lot of things (such as the request to get the 3D model, discussed above) to the index.html
3.) Uninstall and reinstall the theme, since the header.php file was also replaced by a php file that simply wrote “hacked by hacker.”
I’m not so sure that all infected files are removed, so I’ll be monitoring closely.