Our site, lasiksurgerynews.com, is experiencing a very strange hack that I have been unable to locate and I would appreciate your suggestions.
Here is what is happening:
works just fine and is not hacked but the secure version of the site - https://lasiksurgerynews.com
- IS hacked and is a completely different site from what you see on the non-SSL version. As a matter of fact it is a Joomla-based site called "My Photo Battle" and we have never used Joomla for any of our sites.
The other bit of information that may or may not help is that we have a primary and a backup server in place for this site. Currently we are running on the backup server (IP 22.214.171.124) but the malicious site showed up in Google a few months ago while we were running on our primary server - located at a different hosting company, location, IP address, server, etc.
First of all, we do not have an SSL certificate for the site. Second, the hacked site appears to come from the same server, both on IP 126.96.36.199. It also appeared to come from the same IP as the primary server when the site was running on it.
Because the malicious site seems to be independent of where the site is hosted, I do not think it is a server hack. I have scanned all of the files in the site, which is a simple PHP-based site (even though most file extensions are .shtml). Just some PHP includes and then lots of static html content on every page. Nothing terribly complicated or database-driven.
I have checked htaccess files, scanned all of the files for base64 hacks, looked for meta redirects, and run through online scanners. Nothing comes up. If anyone has any suggestions I will be extremely grateful.
The only other thing I can think of is an SSL hack? I don't even think it's possible, but one thing I did try is to rewrite https to http in the root htaccess file but the rule is ignored since the malicious site is not running from our web root.
Thanks for your assistance.