bunnylovemedia{at}gmail.com pornset.com hacked my site - who are these scumbags?

[mineistaken]

Anyone heard of bunny love media?
I opened my site and it redirects to pornset.com

[email protected]

[XSAXS]

Can't help you, but damn... This world is full of assholes, cunts, and cocksuckers.

[WDF]

Is the redirect at the registrar or the server?

Time to do a password audit.

Search the email on Google, 1 result: http://netcomber.com/pornmaxim.com

a quick search of pornset.com reveals SOA info for DNS as:

pornset.com SOA 1 day ns55.pornset.com. cicasouris.gmail.com. 2013101501 86400 7200 3600000 86400

Do a historical Domain search of that email and find an old not privacy protected domain registration maybe for countrypoll.com, see what comes back.

[mineistaken]

Quote:

Originally Posted by WDF

Is the redirect at the registrar or the server?

Server. Found some malicious code inserted into files.
Interesting thing - server says last time those files were edited was June. And I have backup from September (clean files). Not sure how was that possible.

[WDF]

Edited my first post with more info for you.

What platform is used for the site? Check for updates?

Are you using shared hosting? Vps or Dedi? cpanel? If VPS or Dedi and cPanel Mod_Security will help with injection attacks. CSF is a good plug in also.

Review your logs to see where it came from. Notify your host.

[mineistaken]

On this shared account I have 5 WP websites, all of those has some malicious shit injected in all the php files, BUT only 1 of them redirects. I have cleaned the files, but it did not help.

Where to look for redirect if only 1 of 5 sites are redirecting while all of them has malicious code?
htaccess is clean..

[WDF]

Check your db and theme files.

[mineistaken]

Quote:

Originally Posted by WDF

Check your db and theme files.

Theme files are clean as I restored everything from back up. Let's see database..
Although it is still strange that only 1 of 5 sites redirects, usually when it gets hacked all sites go down..

[WDF]

You made certain index.php is clean?

Delete and upload new is uncertain.

[mineistaken]

Quote:

Originally Posted by WDF

You made certain index.php is clean?

Delete and upload new is uncertain.

100%. That's why it is strange. On top of only 1 of 5 sites being affected

[WDF]

I have left a message for my partner to check this thread when he gets online. He has a little better head for current exploits then I do.

Check through the db. There is a number of site settings relating to domain in 2 tables that may result in a redirect. You can view it in word pad, download a current copy and search for the domain the site is redirecting to.

I will stay for a while longer and try to help but it is fairly late here.

Added:

You need to find the vulnerability and fix that as well.

Redirect the domain in cpanel to 1 of your other sites for now if need be.

Did you report the hack to your hosts support. It may be more then your sites that have been compromised.

[mineistaken]

Thanks for the help and advice
I cleaned it up, it was one of the embeds from 2009 (I think I sold blog post to the site back then) that started redirecting all the site in 2014

[NEW XTC]

WDF rocks...

[WDF]

Quote:

Originally Posted by mineistaken

Thanks for the help and advice
I cleaned it up, it was one of the embeds from 2009 (I think I sold blog post to the site back then) that started redirecting all the site in 2014

No Problem, happy to help out when I can.

Quote:

Originally Posted by NEW XTC

WDF rocks...

Thanks for the recognition