SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru
    Join Date
    Feb 2008
    Posts
    655
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Tracing a hacked website

    Hi guys, I am looking for help tracking how a client's site has been hacked.

    The site is located at kingcards.com

    It gets redirected to various different fake malware sites, an invalid page on a .ru website or sometime just back to google.com. Sometimes there is no redirect at all and it works as normal. His site is first on Google for a search on "kingcards". This results in a redirect too.

    I am unable to find out exactly where the redirect is and this is what is causing the frustration. I have used redirect checkers and "view as Googlebot" tools and they all render the site properly as it should.

    His webhost is not being much help and using this as an excuse to sell him a VPN.

    If anybody could give me any ideas on where to start looking I would be grateful.
    Last edited by TechnoBear; Aug 16, 2012 at 02:01. Reason: URL delinkified

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,765
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by corbyboy View Post
    Hi guys, I am looking for help tracking how a client's site has been hacked.

    It gets redirected to various different fake malware sites, an invalid page on a .ru website or sometime just back to google.com. Sometimes there is no redirect at all and it works as normal. His site is first on Google for a search on "kingcards". This results in a redirect too.

    I am unable to find out exactly where the redirect is and this is what is causing the frustration. I have used redirect checkers and "view as Googlebot" tools and they all render the site properly as it should.

    If anybody could give me any ideas on where to start looking I would be grateful.
    The first step is to determine where the redirect is coming from, keeping in mind that some code may test which browser is being used and only include the redirect code when specific browsers are being used (such as IE). So the Google page viewer and redirect checkers may not see it. Is it a Javascript redirect embedded in the HTML source? A link to a Javascript file somewhere else? Or is it a redirect from the server?

    If you see any kind of Javascript (or any other code) that is obfuscated to make it impossible for a human to read, that is a certain indicator that the code is malicious. Legitimate coders don't need to hide their code. Hackers do.

    Then it is a matter of finding the code producing the redirect to the malicious sites. Often it is in index.php or one of the main site files. But it could be elsewhere. For example, if it is a database-driven site, the redirect Javascript code could be in the database.

    I had a similar problem. I had a habit of not checking for updates for open source scripts. SMF and Joomla were hacked and also I believe my Wordpress was hacked last year. In one case, the main index.php file had a small piece of code added at the bottom which tested the visitor's browser and if Internet Explorer was used, it added an iframe to a site containing a trojan. I usually used Firefox or Opera, so I never saw it. One day I decided to test the site using IE7 and my antivirus alerted me to the malicious code.

    What should be done is for all user files be deleted and replaced with backups that are known to be uninfected. If there was an existing vulnerability that the hacker exploited it may be exploited again. These hackers like to put in backdoors so if the malicious code is found and removed, they can regain access to the site. A fresh installation of all files is best.

    Start by identifying where the redirect is coming from by looking at the HTML output for Javascript redirects, keeping an eye out for code which may or may not be obfuscated. (For safety reasons, you may want to disable Javascript when checking with your browser.) Then check your main site files like index.html, index.php etc. My guess is that it is a Javascript redirect in the HTML source.

  3. #3
    SitePoint Member
    Join Date
    Feb 2010
    Location
    Newark, DE, USA
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @cheesedude - You have provided exact answer to this question. Hacking is such a big and growing issue on the internet. Malware is common term for malicious software and increasing difficulty over the internet. Hackers install malware by using safety weakness on servers and fast access to websites. And as you said it is not visible to human. Hackers apply it to reach viruses, hijack PCs or theft important information for example credit card numbers or other private data. So it is always better to keep our website away from hackers using anti-malware product.
    Secure Unlimited Sub-Domains
    with Wildcard SSL from ClickSSL.com
    Trusted SSL Certificate Provider

  4. #4
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by corbyboy View Post
    Hi guys, I am looking for help tracking how a client's site has been hacked.

    It gets redirected to various different fake malware sites, an invalid page on a .ru website or sometime just back to google.com. Sometimes there is no redirect at all and it works as normal. His site is first on Google for a search on "kingcards". This results in a redirect too.
    Have you seen this in effect yourself, or has this only been reported by the client - if it's only the client, then it may be a localized malware infection rather than the site being hacked.

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Repeat: Have your host run a full "maldet scan" and see what it reports.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •