Tracing a hacked website

Printable View

Aug 15, 2012, 23:55
corbyboy

Tracing a hacked website

Hi guys, I am looking for help tracking how a client's site has been hacked.

The site is located at kingcards.com

It gets redirected to various different fake malware sites, an invalid page on a .ru website or sometime just back to google.com. Sometimes there is no redirect at all and it works as normal. His site is first on Google for a search on "kingcards". This results in a redirect too.

I am unable to find out exactly where the redirect is and this is what is causing the frustration. I have used redirect checkers and "view as Googlebot" tools and they all render the site properly as it should.

His webhost is not being much help and using this as an excuse to sell him a VPN.

If anybody could give me any ideas on where to start looking I would be grateful.
Aug 16, 2012, 02:50
cheesedude

Quote:

Originally Posted by corbyboy

Hi guys, I am looking for help tracking how a client's site has been hacked.

It gets redirected to various different fake malware sites, an invalid page on a .ru website or sometime just back to google.com. Sometimes there is no redirect at all and it works as normal. His site is first on Google for a search on "kingcards". This results in a redirect too.

I am unable to find out exactly where the redirect is and this is what is causing the frustration. I have used redirect checkers and "view as Googlebot" tools and they all render the site properly as it should.

If anybody could give me any ideas on where to start looking I would be grateful.

The first step is to determine where the redirect is coming from, keeping in mind that some code may test which browser is being used and only include the redirect code when specific browsers are being used (such as IE). So the Google page viewer and redirect checkers may not see it. Is it a Javascript redirect embedded in the HTML source? A link to a Javascript file somewhere else? Or is it a redirect from the server?

If you see any kind of Javascript (or any other code) that is obfuscated to make it impossible for a human to read, that is a certain indicator that the code is malicious. Legitimate coders don't need to hide their code. Hackers do.

Then it is a matter of finding the code producing the redirect to the malicious sites. Often it is in index.php or one of the main site files. But it could be elsewhere. For example, if it is a database-driven site, the redirect Javascript code could be in the database.

I had a similar problem. I had a habit of not checking for updates for open source scripts. SMF and Joomla were hacked and also I believe my Wordpress was hacked last year. In one case, the main index.php file had a small piece of code added at the bottom which tested the visitor's browser and if Internet Explorer was used, it added an iframe to a site containing a trojan. I usually used Firefox or Opera, so I never saw it. One day I decided to test the site using IE7 and my antivirus alerted me to the malicious code.

What should be done is for all user files be deleted and replaced with backups that are known to be uninfected. If there was an existing vulnerability that the hacker exploited it may be exploited again. These hackers like to put in backdoors so if the malicious code is found and removed, they can regain access to the site. A fresh installation of all files is best.

Start by identifying where the redirect is coming from by looking at the HTML output for Javascript redirects, keeping an eye out for code which may or may not be obfuscated. (For safety reasons, you may want to disable Javascript when checking with your browser.) Then check your main site files like index.html, index.php etc. My guess is that it is a Javascript redirect in the HTML source.
Oct 26, 2012, 03:07
ClickSSL

@cheesedude - You have provided exact answer to this question. Hacking is such a big and growing issue on the internet. Malware is common term for malicious software and increasing difficulty over the internet. Hackers install malware by using safety weakness on servers and fast access to websites. And as you said it is not visible to human. Hackers apply it to reach viruses, hijack PCs or theft important information for example credit card numbers or other private data. So it is always better to keep our website away from hackers using anti-malware product.
Oct 26, 2012, 05:20
EastCoast

Quote:

Originally Posted by corbyboy

Hi guys, I am looking for help tracking how a client's site has been hacked.

It gets redirected to various different fake malware sites, an invalid page on a .ru website or sometime just back to google.com. Sometimes there is no redirect at all and it works as normal. His site is first on Google for a search on "kingcards". This results in a redirect too.

Have you seen this in effect yourself, or has this only been reported by the client - if it's only the client, then it may be a localized malware infection rather than the site being hacked.
Oct 27, 2012, 02:47
dklynn

Repeat: Have your host run a full "maldet scan" and see what it reports.

Regards,

DK