Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Finding redirect in a hacked site?

whooleytoo

whooleytoo

macrumors 604
Original poster
Aug 2, 2002
6,607
716
Cork, Ireland.
My sister's work site (a small community arts group) has been hacked so mobile users are redirected to porn sites.

I've been trying to find the modified file (it's not a very complex site) so she can tell her hosting company what to change; I'm just using Safari's web inspector.. is there any way to get it to break on redirect/meta refresh?
 
dan1eln1el5en

dan1eln1el5en

macrumors 6502
Jan 3, 2012
380
23
Copenhagen, Denmark
first check the meta data on the page if there is a redirect.
then you have to have the .htaccess file checked on the server (if you have access tot the server, it's in the root remember to enable hidden files)

a good start at least, but it could also be on the devices (?) and on other server levels.
whats similar for those mobile devices ? (all iPhones ? all 240 width ? or similar)
 
960design

960design

macrumors 68040
Apr 17, 2012
3,700
1,569
Destin, FL
Porn is art, right?

There are a million of ways they could have redirected her site, without access to the source we are really just shooting in the dark.

They could have access through wordpress admin and put a redirect directly into the pages or widgets.

They could have gotten access to the host and placed the redirect in the server config files or as mentioned .htaccess.

It could be a javascript hack which they included in a comment.

good luck and I'm sorry it happened to you.
 
aarond12

aarond12

macrumors 65816
May 20, 2002
1,145
107
Dallas, TX USA
Could you respond with more information, such as the web server type (e.g., Apache, IIS, version information, etc.)? Maybe give us the URL and we might be able to track it down by looking at the web traffic...
 
whooleytoo

whooleytoo

macrumors 604
Original poster
Aug 2, 2002
6,607
716
Cork, Ireland.
Appreciate the advice.. (and yes, I did offer the "actually I prefer the new site" line, but they weren't impressed! :p)

They contacted the hosting company (Bluehost) who took a look, but were unable to find the cause, due to the number of files - I'd guess they're on very low-cost package so support would be less than ideal. The support did reckon it's .htaccess related.

By changing my user agent to iPhone I was able to see the same redirects on my laptop so it's likely in an iOS-specific file that's included (I can't imagine whoever injected the redirect deliberately wanted to exclude PC/Mac users).

p.s. they did a restore to a month-ago and the problem persists. So either it's been there for a while for mobile devices and went unnoticed (unlikely) or the redirect is external to the files being restored.
 
960design

960design

macrumors 68040
Apr 17, 2012
3,700
1,569
Destin, FL
Just chiming in again... restoring the files would not fix any links or comments as they are saved in the database. The obnoxious script file could still be located within the comments section.

All of this is could be pretty easy to find:
1) Search files all for the redirect that pops up in the url
2) run a manual sql query on the database.
 
SrWebDeveloper

SrWebDeveloper

macrumors 68000
Dec 7, 2007
1,871
3
Alexandria, VA, USA
aarond12 said:
Could you respond with more information, such as the web server type (e.g., Apache, IIS, version information, etc.)? Maybe give us the URL and we might be able to track it down by looking at the web traffic...
Click to expand...

PRIVATELY, not here, I think. :p

To the OP:

The server's web logs usually list the referer they received from the browser, i.e. look for 301 and 302 redirects in the log, plus http_referrer header. Consult web host as to which log to check, but much, much faster to scan a log if unsure and not a coding guru, usually.
 
notjustjay

notjustjay

macrumors 603
Sep 19, 2003
6,056
167
Canada, eh?
My site got hit last year with a pretty simple (but annoying) PHP hack where every single PHP file was modified to include a small chunk of code on the top line, after the opening PHP brace, but it had been formatted with lots of spaces so that in your text editor you wouldn't see it until you scrolled all the way to the right.

I think the hack's entry vector was a script vulnerability in some kind of thumbnail generator script (timthumb?) which then traversed the file system looking for script files to modify. It also installed a contaminated .htaccess file.

I thought I had got rid of it but I had missed a few PHP files so when the infected files were rerun a few months later, it all came back... I ended up scrapping the entire site and reinstalling from backups.
 
SrWebDeveloper

SrWebDeveloper

macrumors 68000
Dec 7, 2007
1,871
3
Alexandria, VA, USA
notjustjay said:
My site got hit last year with a pretty simple (but annoying) PHP hack where every single PHP file was modified to include a small chunk of code on the top line, after the opening PHP brace, but it had been formatted with lots of spaces so that in your text editor you wouldn't see it until you scrolled all the way to the right.
I think the hack's entry vector was a script vulnerability in some kind of thumbnail generator script (timthumb?) which then traversed the file system looking for script files to modify. It also installed a contaminated .htaccess file.
I thought I had got rid of it but I had missed a few PHP files so when the infected files were rerun a few months later, it all came back... I ended up scrapping the entire site and reinstalling from backups.
Click to expand...

Great information, this reply is to the OP and others following:

In general many sites have very poor permissions setup on the folders and files in the docroot or deeper. It's very important to nail down proper permissions and file ownership in a production environment. Your CMS documentation or webhost can help you with that. Learn chown/chmod if Linux!

Specific to timthumb - this is a plugin verson of it for Wordpress which has a well known and very nasty vulnerability including a plugin just for fixing if you got slammed. In general the best way to prevent is always avoid betas or dev releases on production sites unless no choice and always update to latest to version to account for security vulnerabilities.
 
S

sharaking

macrumors newbie
Feb 11, 2014
1
0
Problem Solved for me ~ Mobile Page Gets Redirected to Unwanted Pages

I faced the same problem, my website gets redirected to a different page when its visited from a mobile device.

After hours of searching, I found there were JavaScript added into my index.php file located in /template/themexxx/index.php . After removing it, everything was normal again.

Hope this will solve your problem too. :)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom