Support » Plugin: Wordfence Security - Firewall, Malware Scan, and Login Security » Site doing porn redirect but clean scan

  • Resolved scottmliddell

    (@scottmliddell)


    Hi,
    My blog http://www.scottliddell.com ( don’t visit link ) is suffering from some sort of hack that redirects some, not all, hits to a porn site. My Wordfence premium scan is coming up clean, so I guess it’s something fairly new, has anyone seen anything like it?

    I did have a file .backup_time on the file system which looked of but I got rid of it.

    A bit confused at the moment!

    Any help much appreciated!

    Thanks,
    Scott

    https://wordpress.org/plugins/wordfence/

Viewing 14 replies - 1 through 14 (of 14 total)
  • Could be anything but here are a few things for you to check.

    Check your .htaccess file. A hacker might have added directives to redirect specific visitor profiles according to visitor location, time of day, hit count or browser type.

    If you’ve installed any new plugins or themes, disable them and test whether this still happens. Possible a dynamic redirect has been set by one of them. View these rewrites with http://wordpress.org/plugins/rewrite-rules-inspector/. You could check the plugin support forums to see whether others have reported similar events.

    You can flush your WordPress rewrite rules by re-saving your permalinks in Settings > Permalinks.

    Does your web host offer security scans? Could be a server security issue.

    Are you using a CDN server? Maybe the issue is there.

    Does this happen to more than one visitor? If not, maybe the visitor has a malicious browser script installed.

    Good luck solving this!

    Just read this and thought of you. Are you using OptimizePress?

    Avast has reported a security flaw in it that is sending people to adult sites:

    http://blog.avast.com/2014/04/17/wordpress-vulnerability-puts-mobile-visitors-at-risk/

    No redirect for me.

    Thread Starter scottmliddell

    (@scottmliddell)

    Thanks all.

    The effect seems to be exactly the same as the Avast article but with a different root cause, the redirect is even to the same IP, but I’ve grep’d the whole file system and there isn’t a file with the IP in it. Also, I’m not running OptimizePress, so there is another vulnerability that WordFence can’t see that isn’t from that plugin doing the same thing, it is mobile only and it seems only on 1st access…

    I’ll keep looking!

    Try grep -r 'top.location.replace'. Bare in mind that the malicious code could be base64 encoded so might look more like “dG9wLmxvY2F0aW9uLnJlcGxhY2U=” (without quotes). Try other encoding options too, as well as grepping for just the IP address encoded.

    This will help with encoding: http://www.base64encode.org/

    Thread Starter scottmliddell

    (@scottmliddell)

    cheers Lee, had done the recursive grep but not with any encoding, will try that, have just exported the whole DB too so i can search that!

    Welcome Scott. Will be very interested to know what you find.

    Thread Starter scottmliddell

    (@scottmliddell)

    ok, so, I think I’ve found it and it was, erm, hiding in plain sight in the root index.php – a big nasty slug of encoded junk, I found it using the grep tip in the comments of this article…

    http://blog.sucuri.net/2014/01/recent-optmizepress-vulnerability-being-mass-infected.html

    it makes sense it was there as if it wasn’t in .htaccess it couldn’t be many other places, I suppose I didn’t look because the scan was clean ( fairly poor excuse! )

    so, I still dunno how it got there and I really don’t know how WordFence doesn’t spot it, is there a way of submitting stuff to the WordFence guys?

    Always the last place you think. At least your site has had a scan of its innards performed.

    wp-header is another place where hackers sometimes hide malicious junk.

    You might want to reinstall the WordPress core files manually. Have you done that before? I suspect you have done so but for benefit of those who haven’t, in general you’ll need to:

    1) download the WordPress zip file
    2) unzip it,
    3) remove the wp-content folder from the unzipped file,
    4) rezip the remaining package,
    5) upload the rezipped file to your server,
    6) copy all your WP files to a backup folder,
    7) delete everything except for wp-content, your backup folder and the uploaded zip file,
    8) decompress the zip file and reload your site to make sure it works.
    9) if it doesn’t work, restore the backup files.
    10) if it does work (and it should), you ought to be safe to remove the backup files.

    Hitting the Update/Reinstall WordPress button doesn’t replace all core files so the manual method is best.

    The Wordfence guys can be contacted at http://www.wordfence.com. Blog comments work well to get Mark’s attention.

    Worrying that Wordfence missed this one.

    Thread Starter scottmliddell

    (@scottmliddell)

    I raised a ticket with Wordfence and sent them the infected index.php.
    I did a test and Wordfence did pick it elsewhere (because of difference with repository files), just not, it seems, in index.php…

    Thread Starter scottmliddell

    (@scottmliddell)

    Mark has confirmed that Wordfence has been updated to protect against this exploit.

    Perfect. Thank you.

    Plugin Author Wordfence Security

    (@mmaunder)

    Marking this resolved if you’re OK with that. We’re detecting this now.

    Regards,

    Mark.

    Did you ever figure out the source? I feel like most of the ones I am seeing used OptimizePress but I’ve seen a few that have not and I can’t seem to find the source of this “junk” getting into all the wp-config.php, index.php, header.php and functions.php files in an account – sometimes it’s every install in the account which can add up quickly.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Site doing porn redirect but clean scan’ is closed to new replies.