Support » Fixing WordPress » Fake links that redirecting to a malware site

Viewing 8 replies - 1 through 8 (of 8 total)
  • I have never heard of either:

    iThemes Security and screen with Anti-Malware by ELI.

    Where did you get them? If not from here your support is with them/

    That said, please review;

    http://codex.wordpress.org/Hardening_WordPress

    Hi there,

    I assume, that your site is http://www.nicholsenvironmental.com/ – am I right? Could you be a bit more specific and describe when exactly does this redirect happen? Simply, giving us the bit more pieces of the whole infection image would be great!

    Thanks!

    Thread Starter sstevens777

    (@sstevens777)

    Yes, the site is http://www.nicholsenvironmental.com/.

    We had a third party contact us that our site was linking to a http://www.expert-lender.com/ through a hidden link on our site which was http://www.nicholsenvironmental.com/wp-admin/includes/attachment/accessory/carinsurancecompanies.html.

    If you go to this link, there is no page, it just redirects to http://www.expert-lender.com/. I’ve never been able to find where the redirect is written so I removed all folders regarding the site and creating a new database hoping the link would be in there somewhere but no success.

    Beyond the database, the theme and supporting files like htaccess, where else can a redirect be hidden?

    Hmm…I think that might be the problem there:

    /wp-admin/includes/attachment/accessory/carinsurancecompanies.html.

    Everything up to /includes is legitimate and part of the wordpress core, but /attachment/accessory are not part of the wordpress core files and should not be present there.

    Take a look in /wp-admin/includes and see if there is an /attachment directory there.

    If so, I would delete the whole /attachment directory and replace all of your wordpress core files just to be on the safe side.

    Remember: Do not delete wp-content 🙂

    If you still have problems I would do a search over all your files (using SSH grep command) for “expert-lender” and see if anything still comes up.

    You will not find expert-lender in any code on your site.

    use a text editor like sublime2 to load this page into the editor, you need to do this so the Java script in the html file on your site does not execute.

    /wp-admin/includes/attachment/accessory/carinsurancecompanies.html.

    Inside that html file you will find a link to a java script file with a name like “include856.js” if you use the same text editor to call that file you will get a code output that obfuscated. Meaning you can’t read it.

    Its base64 encoded so you can use some online tools to decode that unreadable string. Once that’s decoded you will see the links to expert-lender and several other website “affiliates” along with “affiliate” codes they use for tracking revenue generated off your hacked page.

    The reason you cant find the redirect is its obfuscated in Java Script

    og1314z

    (@og1314z)

    Hi Guys
    I need help please.
    My site http://workwithmichaelnwani.com/ has been hacked with a link that redirects to http://www.healthnews24.co/ca/?t202id=936008&t202kw=desk-2
    I am new to web design, I wanted this to be a personal blog where I could promote some affiliate offers.
    Can someone help me please
    Thanks

    wslade

    (@wslade)

    I.m sorry that your site was damaged. Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    og1314z

    (@og1314z)

    Thanks a lot
    I will get to it now

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Fake links that redirecting to a malware site’ is closed to new replies.