Finding redirect in a hacked site?

Discussion in 'Web Design and Development' started by whooleytoo, Dec 3, 2012.

  1. macrumors 603

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #1
    My sister's work site (a small community arts group) has been hacked so mobile users are redirected to porn sites.

    I've been trying to find the modified file (it's not a very complex site) so she can tell her hosting company what to change; I'm just using Safari's web inspector.. is there any way to get it to break on redirect/meta refresh?
     
  2. macrumors 6502

    Joined:
    Jan 3, 2012
    #2
    first check the meta data on the page if there is a redirect.
    then you have to have the .htaccess file checked on the server (if you have access tot the server, it's in the root remember to enable hidden files)

    a good start at least, but it could also be on the devices (?) and on other server levels.
    whats similar for those mobile devices ? (all iPhones ? all 240 width ? or similar)
     
  3. macrumors 65816

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #3
    Porn is art, right?

    There are a million of ways they could have redirected her site, without access to the source we are really just shooting in the dark.

    They could have access through wordpress admin and put a redirect directly into the pages or widgets.

    They could have gotten access to the host and placed the redirect in the server config files or as mentioned .htaccess.

    It could be a javascript hack which they included in a comment.

    good luck and I'm sorry it happened to you.
     
  4. macrumors 65816

    aarond12

    Joined:
    May 20, 2002
    Location:
    Dallas, TX USA
    #4
    Could you respond with more information, such as the web server type (e.g., Apache, IIS, version information, etc.)? Maybe give us the URL and we might be able to track it down by looking at the web traffic...
     
  5. macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #5
    Can you start by simply restoring the site files from the last known-good backup?
    Have you called the hosting company?
     
  6. thread starter macrumors 603

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #6
    Appreciate the advice.. (and yes, I did offer the "actually I prefer the new site" line, but they weren't impressed! :p)

    They contacted the hosting company (Bluehost) who took a look, but were unable to find the cause, due to the number of files - I'd guess they're on very low-cost package so support would be less than ideal. The support did reckon it's .htaccess related.

    By changing my user agent to iPhone I was able to see the same redirects on my laptop so it's likely in an iOS-specific file that's included (I can't imagine whoever injected the redirect deliberately wanted to exclude PC/Mac users).

    p.s. they did a restore to a month-ago and the problem persists. So either it's been there for a while for mobile devices and went unnoticed (unlikely) or the redirect is external to the files being restored.
     
  7. macrumors 65816

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #7
    Just chiming in again... restoring the files would not fix any links or comments as they are saved in the database. The obnoxious script file could still be located within the comments section.

    All of this is could be pretty easy to find:
    1) Search files all for the redirect that pops up in the url
    2) run a manual sql query on the database.
     
  8. macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #8
    PRIVATELY, not here, I think. :p

    To the OP:

    The server's web logs usually list the referer they received from the browser, i.e. look for 301 and 302 redirects in the log, plus http_referrer header. Consult web host as to which log to check, but much, much faster to scan a log if unsure and not a coding guru, usually.
     
  9. macrumors 603

    notjustjay

    Joined:
    Sep 19, 2003
    Location:
    Canada, eh?
    #9
    My site got hit last year with a pretty simple (but annoying) PHP hack where every single PHP file was modified to include a small chunk of code on the top line, after the opening PHP brace, but it had been formatted with lots of spaces so that in your text editor you wouldn't see it until you scrolled all the way to the right.

    I think the hack's entry vector was a script vulnerability in some kind of thumbnail generator script (timthumb?) which then traversed the file system looking for script files to modify. It also installed a contaminated .htaccess file.

    I thought I had got rid of it but I had missed a few PHP files so when the infected files were rerun a few months later, it all came back... I ended up scrapping the entire site and reinstalling from backups.
     
  10. macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #10
    Great information, this reply is to the OP and others following:

    In general many sites have very poor permissions setup on the folders and files in the docroot or deeper. It's very important to nail down proper permissions and file ownership in a production environment. Your CMS documentation or webhost can help you with that. Learn chown/chmod if Linux!

    Specific to timthumb - this is a plugin verson of it for Wordpress which has a well known and very nasty vulnerability including a plugin just for fixing if you got slammed. In general the best way to prevent is always avoid betas or dev releases on production sites unless no choice and always update to latest to version to account for security vulnerabilities.
     
  11. macrumors newbie

    Joined:
    Feb 11, 2014
    #11
    Problem Solved for me ~ Mobile Page Gets Redirected to Unwanted Pages

    I faced the same problem, my website gets redirected to a different page when its visited from a mobile device.

    After hours of searching, I found there were JavaScript added into my index.php file located in /template/themexxx/index.php . After removing it, everything was normal again.

    Hope this will solve your problem too. :)
     

Share This Page