Go Back   MacRumors Forums > Special Interests > Visual Media > Web Design and Development

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 3, 2012, 05:55 PM   #1
whooleytoo
macrumors 603
 
whooleytoo's Avatar
 
Join Date: Aug 2002
Location: Cork, Ireland.
Send a message via AIM to whooleytoo
Finding redirect in a hacked site?

My sister's work site (a small community arts group) has been hacked so mobile users are redirected to porn sites.

I've been trying to find the modified file (it's not a very complex site) so she can tell her hosting company what to change; I'm just using Safari's web inspector.. is there any way to get it to break on redirect/meta refresh?
__________________
Mac <- Macintosh <- McIntosh apples <- John McIntosh <- McIntosh surname <- "Mac an toshach" <- "Son of the Chief"
whooleytoo is offline   0 Reply With Quote
Old Dec 4, 2012, 01:05 PM   #2
dan1eln1el5en
macrumors 6502
 
Join Date: Jan 2012
first check the meta data on the page if there is a redirect.
then you have to have the .htaccess file checked on the server (if you have access tot the server, it's in the root remember to enable hidden files)

a good start at least, but it could also be on the devices (?) and on other server levels.
whats similar for those mobile devices ? (all iPhones ? all 240 width ? or similar)
dan1eln1el5en is online now   0 Reply With Quote
Old Dec 4, 2012, 02:20 PM   #3
960design
macrumors 6502a
 
Join Date: Apr 2012
Location: Destin, FL
Porn is art, right?

There are a million of ways they could have redirected her site, without access to the source we are really just shooting in the dark.

They could have access through wordpress admin and put a redirect directly into the pages or widgets.

They could have gotten access to the host and placed the redirect in the server config files or as mentioned .htaccess.

It could be a javascript hack which they included in a comment.

good luck and I'm sorry it happened to you.
__________________
TI-99/4A, tape cassette, 12" B&W Zenith
960design is offline   0 Reply With Quote
Old Dec 4, 2012, 04:42 PM   #4
aarond12
macrumors 6502a
 
aarond12's Avatar
 
Join Date: May 2002
Location: Dallas, TX USA
Could you respond with more information, such as the web server type (e.g., Apache, IIS, version information, etc.)? Maybe give us the URL and we might be able to track it down by looking at the web traffic...
__________________
Voted "Most likely to start his own cult" by my high school class.
aarond12 is offline   0 Reply With Quote
Old Dec 4, 2012, 04:45 PM   #5
CanadaRAM
macrumors G5
 
CanadaRAM's Avatar
 
Join Date: Oct 2004
Location: On the Left Coast - Victoria BC Canada
Can you start by simply restoring the site files from the last known-good backup?
Have you called the hosting company?
__________________
Expert
Ex = former, no longer. Spurt = a leak, esp. when caused by water pressure. Expert = a has-been drip under pressure.
CanadaRAM is offline   0 Reply With Quote
Old Dec 6, 2012, 12:53 PM   #6
whooleytoo
Thread Starter
macrumors 603
 
whooleytoo's Avatar
 
Join Date: Aug 2002
Location: Cork, Ireland.
Send a message via AIM to whooleytoo
Appreciate the advice.. (and yes, I did offer the "actually I prefer the new site" line, but they weren't impressed! )

They contacted the hosting company (Bluehost) who took a look, but were unable to find the cause, due to the number of files - I'd guess they're on very low-cost package so support would be less than ideal. The support did reckon it's .htaccess related.

By changing my user agent to iPhone I was able to see the same redirects on my laptop so it's likely in an iOS-specific file that's included (I can't imagine whoever injected the redirect deliberately wanted to exclude PC/Mac users).

p.s. they did a restore to a month-ago and the problem persists. So either it's been there for a while for mobile devices and went unnoticed (unlikely) or the redirect is external to the files being restored.
__________________
Mac <- Macintosh <- McIntosh apples <- John McIntosh <- McIntosh surname <- "Mac an toshach" <- "Son of the Chief"
whooleytoo is offline   0 Reply With Quote
Old Dec 6, 2012, 01:23 PM   #7
960design
macrumors 6502a
 
Join Date: Apr 2012
Location: Destin, FL
Just chiming in again... restoring the files would not fix any links or comments as they are saved in the database. The obnoxious script file could still be located within the comments section.

All of this is could be pretty easy to find:
1) Search files all for the redirect that pops up in the url
2) run a manual sql query on the database.
__________________
TI-99/4A, tape cassette, 12" B&W Zenith
960design is offline   0 Reply With Quote
Old Dec 7, 2012, 12:45 AM   #8
SrWebDeveloper
macrumors 68000
 
SrWebDeveloper's Avatar
 
Join Date: Dec 2007
Location: Alexandria, VA, USA
 
Quote:
Originally Posted by aarond12 View Post
Could you respond with more information, such as the web server type (e.g., Apache, IIS, version information, etc.)? Maybe give us the URL and we might be able to track it down by looking at the web traffic...
PRIVATELY, not here, I think.

To the OP:

The server's web logs usually list the referer they received from the browser, i.e. look for 301 and 302 redirects in the log, plus http_referrer header. Consult web host as to which log to check, but much, much faster to scan a log if unsure and not a coding guru, usually.
__________________
Jim Goldbloom
Sr. Web Developer, owner GoldTechPro, LLC
http://www.GoldTechPro.com
SrWebDeveloper is offline   1 Reply With Quote
Old Dec 7, 2012, 01:57 PM   #9
notjustjay
macrumors 603
 
notjustjay's Avatar
 
Join Date: Sep 2003
Location: Canada, eh?
My site got hit last year with a pretty simple (but annoying) PHP hack where every single PHP file was modified to include a small chunk of code on the top line, after the opening PHP brace, but it had been formatted with lots of spaces so that in your text editor you wouldn't see it until you scrolled all the way to the right.

I think the hack's entry vector was a script vulnerability in some kind of thumbnail generator script (timthumb?) which then traversed the file system looking for script files to modify. It also installed a contaminated .htaccess file.

I thought I had got rid of it but I had missed a few PHP files so when the infected files were rerun a few months later, it all came back... I ended up scrapping the entire site and reinstalling from backups.
__________________
.
notjustjay is offline   1 Reply With Quote
Old Dec 7, 2012, 11:23 PM   #10
SrWebDeveloper
macrumors 68000
 
SrWebDeveloper's Avatar
 
Join Date: Dec 2007
Location: Alexandria, VA, USA
 
Quote:
Originally Posted by notjustjay View Post
My site got hit last year with a pretty simple (but annoying) PHP hack where every single PHP file was modified to include a small chunk of code on the top line, after the opening PHP brace, but it had been formatted with lots of spaces so that in your text editor you wouldn't see it until you scrolled all the way to the right.
I think the hack's entry vector was a script vulnerability in some kind of thumbnail generator script (timthumb?) which then traversed the file system looking for script files to modify. It also installed a contaminated .htaccess file.
I thought I had got rid of it but I had missed a few PHP files so when the infected files were rerun a few months later, it all came back... I ended up scrapping the entire site and reinstalling from backups.
Great information, this reply is to the OP and others following:

In general many sites have very poor permissions setup on the folders and files in the docroot or deeper. It's very important to nail down proper permissions and file ownership in a production environment. Your CMS documentation or webhost can help you with that. Learn chown/chmod if Linux!

Specific to timthumb - this is a plugin verson of it for Wordpress which has a well known and very nasty vulnerability including a plugin just for fixing if you got slammed. In general the best way to prevent is always avoid betas or dev releases on production sites unless no choice and always update to latest to version to account for security vulnerabilities.
__________________
Jim Goldbloom
Sr. Web Developer, owner GoldTechPro, LLC
http://www.GoldTechPro.com
SrWebDeveloper is offline   0 Reply With Quote
Old Feb 12, 2014, 01:50 AM   #11
sharaking
macrumors newbie
 
Join Date: Feb 2014
Problem Solved for me ~ Mobile Page Gets Redirected to Unwanted Pages

I faced the same problem, my website gets redirected to a different page when its visited from a mobile device.

After hours of searching, I found there were JavaScript added into my index.php file located in /template/themexxx/index.php . After removing it, everything was normal again.

Hope this will solve your problem too.
sharaking is offline   0 Reply With Quote

Reply
MacRumors Forums > Special Interests > Visual Media > Web Design and Development

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Not finding PackageMaker on download site tocheeba Mac Programming 11 Feb 16, 2014 10:34 PM
Can we redirect an app? marchy iPhone and iPod touch Apps 0 Oct 26, 2013 11:34 AM
Facebook redirect! Meitou OS X 3 Sep 5, 2012 12:57 PM

Forum Jump

All times are GMT -5. The time now is 02:08 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC