I think my site was hacked. Redirects to 'badoink' porn app when viewing via phone

It seems that all of my sites on a shared hosting account, (5 of which are wordpress, 1 is html) are redirecting to the badoink porn app when viewed via android or iphone. Anyone else ever have this problem? I had my host scan for malicious files in the DB and public_html, but they came up with nothing. I really do not know where to go from here…

I’d first check your template for any suspicious code, it’s common for rogue scripts to be injected in them. You may also want to scan your databases to see if code has been injected into there.

It’s also worth updating your WP install and any plugins you are using, additionally many 3rd party WP plugins expose security flaws because they aren’t coded very well, it’s often these poor plugins that allow hackers into your site.

As a matter of course update your passwords as well, including hosting login, WP login, database and FTP passwords in case any of those have been compromised.

Thanks bluedreamer.

We had all the public_html files scanned, as well as the databases, and nothing showed up. Also it is weird because one of the sites is just plain html/php with no DB and it is doing a redirect as well. http://printmaps.com

Did you check your DNS to make sure that it’s still pointing to your server? I know it’s rare, these days, but I wonder if a DNS redirect was somehow implemented.

:slight_smile:

Hi wolfshade.

Yeah the DNS is fine… They are all managed under different providers anyway. This is odd because it is only redirecting mobile users. None of my client facing files have been edited in the last couple weeks… I really have no idea what is causing this :frowning:

Is it EVERY mobile that’s being redirected? Any chance the issue could be on the user-side?

:slight_smile:

Yeah every site (6 total, 5 WP sites, one PHP/HTML) when viewed from a smart phone is redirecting to various URLs, that end up redirecting to ‘badoink’. The php site is http://printmaps.com (don’t worry it won’t infect your phone… just pulls up the badoink app).

I would say it is a pretty low likelyhood of it being on the user side… I actually just tested it over the weekend with a brand new Samsung Galaxy s5 that never opened any webpage other than one on that server and it still happened.

You had them scanned. But did you manually check them to make sure they hadn’t been edited?

I did manually check all the client facing files from the WP installations, as well as all the theme files.

Also none of the files in the printmaps folder have been edited in the last year or so… Also being that the printmaps site does not use a database would it be reasonable to assume this is not a database issue?

Thanks for your help

Man… I don’t know what else to suggest. That’s a real head-scratcher. Sorry I couldn’t be of more assistance.

:slight_smile:

Yup!.. that is the term I keep coming back to… “head scratcher”

Thanks for trying though :slight_smile:

It seems fairly obvious to me.

<script type="text/javascript" src="http://gsgd.co.uk/sandbox/jquery/easing/jquery.easing.1.3.js"></script>

Put a copy of that on your own site and I have a feeling your problems will be gone.

Holy crap… I think that might have done it!!! How can that tiny bit of jquery effect everything on my shared server like that??

Actually… that didn’t work :frowning:

Still getting redirects on that site, and these

http://jpmyerscpas.com

Actually… that didn’t work

At least you have got rid of the do not hotlink text on one site :shifty:

Do you have a backup copy of the html site as that is the easiest to work with. Delete every file for that site and upload the backup. It would prove a point.

Can you find any other sites from different owners that are on the same server possibly by IP and see if they have a problem - this may confirm if it is just you or all sites on the same server.

Other sites on the server other than mine: Not that I know of… My host is deflecting any kind of response to help me here… so I doubt they would be honest and tell me if there were issues.

I did upload a backup of the site (seems to be fine now?), and the only difference in the files were the live files had <?php at the very top

And my original file had

<!DOCTYPE HTML PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

Also does this bit from the error_log… does this lend any clues?

[24-Feb-2014 05:42:28 UTC] PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so’ - /usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so: cannot open shared object file: No such file or directory in Unknown on line 0
[24-Feb-2014 05:42:28 UTC] PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php/extensions/no-debug-non-zts-20090626/imagick.so’ - /usr/lib/php/extensions/no-debug-non-zts-20090626/imagick.so: cannot open shared object file: No such file or directory in Unknown on line 0
[24-Feb-2014 05:47:25 UTC] PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so’ - /usr/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so: cannot open shared object file: No such file or directory in Unknown on line 0
[24-Feb-2014 05:47:25 UTC] PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php/extensions/no-debug-non-zts-20090626/xcache.so’ - /usr/lib/php/extensions/no-debug-non-zts-20090626/xcache.so: cannot open shared object file: No such file or directory in Unknown on line 0
[24-Feb-2014 05:47:25 UTC] PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php/extensions/no-debug-non-zts-20090626/uploadprogress.so’ - /usr/lib/php/extensions/no-debug-non-zts-20090626/uploadprogress.so: cannot open shared object file: No such file or directory in Unknown on line 0

How often do you back up your databases? When I was on advanced hosting, we were backing stuff up every 24 hours. After we got hacked, we had to start backing stuff up every twelve hours. 24 wasn’t cutting it as we lost about 3 days worth of posts I believe it was. So I’d probably bump it up a bit and make backups more often if you’re not already doing so.

The errors look like misconfiguration of apache modules. Probably not relevant to your issue, but possibly an indication of host that’s not got much attention to detail.

Have you checked your .htaccess files?

Does the issue manifest on mobile that’s connected via wifi? What about when using alternative mobile browsers (e.g dolphin on android)

I think the hosts are Godaddy.

I had some of the same errors on my site - I assume the site is using php 5.4 and I know certain versions of Imagick are not compatible with 5.4 I assume the same for the timezonedb and I just had the hosts disabled them. You will need to something about it ASAP as every time somebody visits your website you will get those errors in your error file and the add up quick!

From memory suhosin will not work with certain php setups either.

I did upload a backup of the site (seems to be fine now?), and the only difference in the files were the live files had <?php at the very top

I would assume if it is working OK there must have been something you missed when checking the files and would try reinstalling a backup of one of the other sites.