Finding redirect in a hacked site?

[whooleytoo]

My sister's work site (a small community arts group) has been hacked so mobile users are redirected to porn sites.

I've been trying to find the modified file (it's not a very complex site) so she can tell her hosting company what to change; I'm just using Safari's web inspector.. is there any way to get it to break on redirect/meta refresh?

[dan1eln1el5en]

first check the meta data on the page if there is a redirect.
then you have to have the .htaccess file checked on the server (if you have access tot the server, it's in the root remember to enable hidden files)

a good start at least, but it could also be on the devices (?) and on other server levels.
whats similar for those mobile devices ? (all iPhones ? all 240 width ? or similar)

[960design]

Porn is art, right?

There are a million of ways they could have redirected her site, without access to the source we are really just shooting in the dark.

They could have access through wordpress admin and put a redirect directly into the pages or widgets.

They could have gotten access to the host and placed the redirect in the server config files or as mentioned .htaccess.

It could be a javascript hack which they included in a comment.

good luck and I'm sorry it happened to you.

[aarond12]

Could you respond with more information, such as the web server type (e.g., Apache, IIS, version information, etc.)? Maybe give us the URL and we might be able to track it down by looking at the web traffic...

[CanadaRAM]

Can you start by simply restoring the site files from the last known-good backup?
Have you called the hosting company?

[whooleytoo]

Appreciate the advice.. (and yes, I did offer the "actually I prefer the new site" line, but they weren't impressed! )

They contacted the hosting company (Bluehost) who took a look, but were unable to find the cause, due to the number of files - I'd guess they're on very low-cost package so support would be less than ideal. The support did reckon it's .htaccess related.

By changing my user agent to iPhone I was able to see the same redirects on my laptop so it's likely in an iOS-specific file that's included (I can't imagine whoever injected the redirect deliberately wanted to exclude PC/Mac users).

p.s. they did a restore to a month-ago and the problem persists. So either it's been there for a while for mobile devices and went unnoticed (unlikely) or the redirect is external to the files being restored.

[SrWebDeveloper]

Quote:

Originally Posted by aarond12

Could you respond with more information, such as the web server type (e.g., Apache, IIS, version information, etc.)? Maybe give us the URL and we might be able to track it down by looking at the web traffic...

PRIVATELY, not here, I think.

To the OP:

The server's web logs usually list the referer they received from the browser, i.e. look for 301 and 302 redirects in the log, plus http_referrer header. Consult web host as to which log to check, but much, much faster to scan a log if unsure and not a coding guru, usually.

[notjustjay]

My site got hit last year with a pretty simple (but annoying) PHP hack where every single PHP file was modified to include a small chunk of code on the top line, after the opening PHP brace, but it had been formatted with lots of spaces so that in your text editor you wouldn't see it until you scrolled all the way to the right.

I think the hack's entry vector was a script vulnerability in some kind of thumbnail generator script (timthumb?) which then traversed the file system looking for script files to modify. It also installed a contaminated .htaccess file.

I thought I had got rid of it but I had missed a few PHP files so when the infected files were rerun a few months later, it all came back... I ended up scrapping the entire site and reinstalling from backups.