SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 38 of 38
  1. #26
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    356
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EastCoast View Post
    On the cencis pizza site I can see signs of infection on a mobile - there isn't a redirection but there is an advert link overlaid over the site by a company called mobiteasy. Googling around showed up this which indicates the kind of virus involved, and why it's probably not shown up in the cursory attempts by your hosting company to locate infection.

    http://blog.avast.com/2014/04/17/wor...itors-at-risk/
    EastCoast.. Thank you I just read that link you posted, although I am not using the "OptimizePress " plugin. So I am not quite sure that is the source of the "infection"

    Also.. can you tell me how you came to the conclusion that mobiteasy is on the site? I can't see it. Thanks again!

  2. #27
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Loaded up the site on an android mobile, all that gets displayed is a white page with one link (a mobiteasy url that I didn't follow). It could be any number of plugins, or themes. I'd download all your online content then do a search through the source of all files (whatever the extension is, as it could be hidden inside e.g an image and loaded by another script as code) for strings of potentially harmful php functions such as fopen , base64_decode, eval etc

  3. #28
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    356
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EastCoast View Post
    Loaded up the site on an android mobile, all that gets displayed is a white page with one link (a mobiteasy url that I didn't follow). It could be any number of plugins, or themes. I'd download all your online content then do a search through the source of all files (whatever the extension is, as it could be hidden inside e.g an image and loaded by another script as code) for strings of potentially harmful php functions such as fopen , base64_decode, eval etc
    I just downloaded a fresh copy of wordpress to search for those php functions, and it looks like many of them already exist within the core wordpress php. Going to try and compare files to see if anything fishy is going on.

  4. #29
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    356
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    FINALLY figured it out!!

    Will post details in a bit here once I fix the issue.

  5. #30
    SitePoint Member lostartist's Avatar
    Join Date
    May 2006
    Location
    Philippines
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One of the site I'm working on has this problem.. I'd love to know if you solved the redirect issue.

  6. #31
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    356
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lostartist View Post
    One of the site I'm working on has this problem.. I'd love to know if you solved the redirect issue.
    I did.. will post details this afternoon. Took quite a bit of time to get rid of the malicious code.

    What type of site is it happening on? WP?

  7. #32
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    356
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here is the solution

    So basically what you want to search for in your code is the 'str_replace(' function. It will be obvious in your search which files are infected, as there are several hundred encrypted characters side by side in your file.

    Check out the attached screenshot. What made this tricky is the beginning of the code starts with <?php , but then has about 1000 blank spaces before the malicious code starts (sneaky *******s). What also made this tricky is the timestamp on the files shows up as unchanged, so they do not look suspect just by viewing them via ftp. It seemed to infect all of my files named index.php, header.php, and functions.php. As well as some various other files. The code is isolated to the very first line of code in all the files.

    Hope someone else may find this helpful.

    badoink.jpg

  8. #33
    SitePoint Member
    Join Date
    Apr 2014
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by noslenwerd View Post
    Here is the solution

    So basically what you want to search for in your code is the 'str_replace(' function. It will be obvious in your search which files are infected, as there are several hundred encrypted characters side by side in your file.

    Check out the attached screenshot. What made this tricky is the beginning of the code starts with <?php , but then has about 1000 blank spaces before the malicious code starts (sneaky *******s). What also made this tricky is the timestamp on the files shows up as unchanged, so they do not look suspect just by viewing them via ftp. It seemed to infect all of my files named index.php, header.php, and functions.php. As well as some various other files. The code is isolated to the very first line of code in all the files.

    Hope someone else may find this helpful.

    badoink.jpg

    I'm on free hosting at the moment, but if I ever go back to advanced hosting, and if I get hacked, I could find this helpful. Although I think I already knew that even if something doesn't slightly look right, you know right off the bat that something fishy is going on and should be looked into, but I will definitely keep this in mind.

  9. #34
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Ideally you'd still find out how the infection occurred, or else there's nothing to stop it happening again - you've fixed the end result, but not the point of access. Remember and change all your passwords used to access your hosting account.

  10. #35
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    356
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EastCoast View Post
    Ideally you'd still find out how the infection occurred, or else there's nothing to stop it happening again - you've fixed the end result, but not the point of access. Remember and change all your passwords used to access your hosting account.
    I did change all cpanel/FTP/Wordpress passwords. I also updated all plugins/themes to current. So hoping that will do the trick.

  11. #36
    SitePoint Member
    Join Date
    May 2014
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    My name is Matthew and I work for BaDoink.com.

    I am sorry to learn that you encountered this issue, but I'm glad that a fix was found.

    In the future, if you run into a similar problem, or anyone here does for that matter, please contact us directly and immediately.

    We are a big brand in adult. We run a popular affiliate program. Unfortunately, some affiliates, in violation of our Terms of Service, employ malicious tactics to promote our brand.

    We've an affiliate management team in house tasked with policing all affiliate activity. When an affiliate attempts to promote us in an unlawful manner, or in a manner that violates our terms, we terminate his or her affiliation immediately.

    If you come across this issue again, please get in touch with us at http://www.badoink.com/support/ and we will be able to locate the affiliate and terminate them from our program.

    Thanks in advance, and apologies for the inconvenience,

    Matthew
    Last edited by TechnoBear; May 29, 2014 at 11:07. Reason: URL delinked

  12. #37
    SitePoint Member
    Join Date
    May 2014
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Similar issue due to OptimizePress security hole

    Quote Originally Posted by noslenwerd View Post
    Here is the solution

    So basically what you want to search for in your code is the 'str_replace(' function. It will be obvious in your search which files are infected, as there are several hundred encrypted characters side by side in your file.

    Check out the attached screenshot. What made this tricky is the beginning of the code starts with <?php , but then has about 1000 blank spaces before the malicious code starts (sneaky *******s). What also made this tricky is the timestamp on the files shows up as unchanged, so they do not look suspect just by viewing them via ftp. It seemed to infect all of my files named index.php, header.php, and functions.php. As well as some various other files. The code is isolated to the very first line of code in all the files.

    Hope someone else may find this helpful.

    badoink.jpg
    Have a website being randomly redirected to nudity sites only when accessed through cell phones (I believe only with iPhone).

    This is the link to Optimizepress to locate the corrupted files
    https://optimizepress.zendesk.com/hc...-What-do-I-do-

  13. #38
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,189
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    Thanks everyone. All problems have been solved, patched, answered.

    Thread Closed


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •