Hacked !
I was in the middle of my migration from Dedibox to Dreamhost. I did it for cost and time reasons (this time the server is shared so I just have to update my applications not the system). I backup my files, save them locally…
While uploading them to my new hosts, I see some weird htaccess files owned by root in the transfer log. I never wrote them. Weird, let us see what they are maybe they are written by my webapplications…
A htaccess file can redirect all web requests to another server. Root is the user on *nix system with all the rights.
After reading those files, I was sure I never set them up. They were redirecting every visitor coming from a search engine to a porn site (I simplify a little bit).
This means my webserver had been compromised. The hacker had all full control of my server so he could have deployed new PHP scripts in the middle of my applications. The new hypothetical scripts could give him access to my new system. For instance, my new hosting provider. I had to review every line I imported to my new hoster to make sure I did not import a backdoor.
I imported the bare minimal system (in this blog case: database export and skins) and reinstalled everything from scratch. This took me only a week (well I have a real job also)
Of course, some friends (Luc and Fred) warn me about weird redirection… But I was in the middle of my DNS redirection and they were using Google and Firefox (which often redirect by itself using the first result of Google).
The lesson of all that: listen to your friends…
