Support » Fixing WordPress » Google fetch is redirecting to japanese site looks like hack

Viewing 11 replies - 1 through 11 (of 11 total)
  • I found this code index.php and it looks strange to me. I remove the bad code from the index.php the site went well for 2 hours and gtmetrix was showing my version of the website and google fetch and render was showing my version in how google bot will see your site and japanese version for how people will see your website.
    But the website goes bad again and the link is again there.
    I dont know where is it coming from!!
    Help will be much appreciated!!

    Please check

    [code moderated. Do not post hacking code in thee forums.]

    I’m having the same issues, seems to be jumping from one site to another, all hosted in the same space.

    I have so far removed:

    CSS.PHP
    SON.PHP
    and
    tonundrumy.php

    files from most of my domains, however the index.php keeps getting changed, I noticed also that the .htaccess file also has an amended date on it, but no changes have been made, before it was just a mapss.xml that was dropped into my directories, but now I’m seeing the injection into index.php with the below code:

    [code moderated. Do not post hacking code in thee forums.]

    followed by encrypted information.

    any help is greatly appreciated.

    by the way, who is your host?

    After spending few nights on it. I finally fixed it.
    https://gtmetrix.com/reports/zestech.org/mb3l28WR

    I think i can help you, please check your website on gtmetrix does it shows japanese version of your website?

    1. What WordPress version are you using?
    2. What is the theme you are using?
    3. What File Permission you have on the website files?

    Hi

    I am having the same problem with index.php on one of my sites – keeps being overwritten with hacked Japanese version even though permissions are set to 400.

    I can’t find any other file changes on the site

    Has anyone solved this? If so how did you find the source of the attack?

    Thanks

    Hi Guys, having the same issue.

    Copied the site offline, wiped everthing, fresh install, changed all passwords (da login, ftp, user accounts, db) and reinstalled plugins & themes.

    Still index.php is changed, so Google indexes my URL’s like its a Japanse website, and if you click it, it redirects you to the Japanse site.

    WordPress: latest version. I’m using Directadmin.

    More information.

    I made a mistake: .htaccess was still owned by root:root. I checked the error log:

    [Tue Sep 20 09:02:02.264116 2016] [core:crit] [pid 15946] (13)Permission denied: [client 66.249.69.165:50474] AH00529: /home/myusername/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/myusername/' is executable

    So “something” is probing or trying to change the .haccess file, which is not possible because its owned by root.

    So i created a custom .php file which changes the .htaccess file (using file_get_contents and file_put_contents) and i get this error:

    
    [Tue Sep 20 11:16:13.953205 2016] [:error] [pid 22528] [client 178.255.53.158:18280] PHP Warning:  file_put_contents(.htaccess): failed to open stream: Permission denied in /home/myusername/domains/mywebsite.be/public_html/ronald.php on line 6

    The differences: [core:crit] vs. [:error] and a error code like ‘AH00529’.

    Update: solved.

    Hacker left a backdoor as @rtde describes. With me it was PHP code in “404.php”. In general this is what happened:

    1. Hacker gets access to files using user administrator account in WordPress OR a plugin and modifies/creates file in wp-content/somewhere;
    2. Hacker submits PHP code to 404.php (or any other new/infected file with “eval” in it);
    3. Submitted PHP code modifies .htaccess and index.php so Google is fooled with hundreds of products in Japan/China which are not on your site;
    4. Any click to the URL’s on 3 are forwarded tot Japanese site.

    I was able to identify the hacker by using SSH and checkking the log:

    cat /var/log/httpd/domains/mywebsite.be.log | grep "404" | grep "POST"

    After uncommenting the backdoor (with //), renaming index.php and .htaccess to .old and made copies from other wp site i installed https://www.wordfence.com/ (free version).

    After a few hours i got an email from Wordfence:

    Critical Problems:
    
    * File appears to be malicious: wp-content/themes/mytheme/404.php
    * File appears to be malicious: index.hack.php
    * File appears to be malicious: index.old.php

    My advise: start with Wordfence 🙂

    Hey,

    I just found an interesting read on the same Japanese article. Looks like this thread was a motivation behind this guide: https://www.getastra.com/blog/911/how-to-remove-japanese-seo-spam-from-website/

    I had the same problem.I roll back wordpress to an earlier version of wp and problem solved. 😆

    Gett

    (@sutprattana)

    I have the same problem found many points to resolve:

    1. config.php file has strange code. When I change to another new fresh file the site is error.So I must go back to that bad config.php file to get the site back.
    2. sitemap.xml (ymaps.xml) those link to japanese pages. I deleted it but the site still unresolved.
    3. I found strange code on htaccess I remove that code.
    4. I remove a folder contains thousand of sitemaps file.

    ***The problem still not fixed! What further?

    Gett

    (@sutprattana)

    I have the same problem found many points to resolve:

    1. config.php file has strange code. When I change to another new fresh file the site is error.So I must go back to that bad config.php file to get the site back.
    2. sitemap.xml (ymaps.xml) those link to japanese pages. I deleted it but the site still unresolved.
    3. I found strange code on htaccess I remove that code.
    4. I remove a folder contains thousand of sitemaps file.

    ***The problem still not fixed! What’s further?

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Google fetch is redirecting to japanese site looks like hack’ is closed to new replies.