my site is redirecting to an unknown url (10 posts)

  1. beccamarr
    Posted 7 years ago #

    Sometimes when people click onto my website http://www.rebeccamarrphotography.com it is redirecting to a site ya.ru. When you try to go back to my site, it won't load and at the bottom it says it is trying to load http://www.sum4count.net.

    Could someone have hacked my site? Have I done something wrong? Has anyone else seen this?

  2. ClaytonJames
    Posted 7 years ago #

    You are also distributing a virus. JS/Downloader.Agent. It is apparent that your site or your host has suffered a compromise of some sort. Your hosting service may be able to provide guidance.

  3. beccamarr
    Posted 7 years ago #

    I have disabled my pages and contacted my host. Do you recommend anything else for me?

  4. ClaytonJames
    Posted 7 years ago #

    Without knowing the history of your blog... updates, file permissions, prior possible sources of entry, vulnerable plugins and or corrupted themes, etc... my advice would be to review any recent changes you may have made, including all of the above items. Examine your source code for anything you don't expect to be there. Perhaps download a backup copy of your files and inspect for anything out of the ordinary, as well as reviewing your database for users or data that should not be there. Review your log files for suspicious activity if possible, and lastly perhaps seek help from someone with experience in resolving these matters. It seems odd that I was not redirected on every visit, nor was I accosted by the JS Downloader on every visit. Your site behaved normally in fact, on several visits. I had hoped to catch the offending script in action again if possible, but I did not. Do some searching on related terms and see if anything rings a bell. It would be my hope that your host could offer some supporting advice, or perhaps someone here can assist you in a more productive direction. Best of luck to you.


    [EDIT] a quick google search of sum4count.net had a ton of hits, and it is identified as malicious and a distributor of malware.
    Here is a quick whois on the domain.


    (shiver)... I don't think I would visit the address (sum4count.net), just to be safe.

  5. ClaytonJames
    Posted 7 years ago #

    I was looking at a cached page of your site in google, and there appears to be a an odd script immediately after the opening <body> and again immediately prior to the closing </body> tags in your source code. Perhaps I just don't know what I am seeing, but it looks odd to me.

    <body><script=language=JavaScript>function lban(x){var...... 
    ....<script language=JavaScript>function abban(x){var</body>

    both of these scripts have an authors note of: <!-- higherministries.com --> added to them.

    Oddly enough, when I google "higherministries.com", the AVG threat advisor on the machine I am working at reports this:

    "Dangerous: This page contains active threats.
    Risk Category: Exploit
    Risk Name: WebAttacker
    Explanation: This appears to be the WebAttacker exploit package."

    ...As it also does when I check your URI. I hope some part of this helps in some way.

  6. beccamarr
    Posted 7 years ago #

    Thank you so much, I will look further into this!

  7. beccamarr
    Posted 7 years ago #

    Would you mind taking another look to see if the problem is corrected now? Higherministries.com is my husband's website on my same server. He has a wordpress.org blog but his site is created through another program. I'm not getting much help from my hosting company as their best advice was to download antivirus to my computer, download everything from my server to my computer and then run a scan.

    I had someone remove the odd code and I've changed all of my passwords. I'm hoping the problem is behind me. I just wish I knew if the hack was through my server or my wordpress account.

  8. flammobammo
    Posted 7 years ago #

    You should definitely review all of your file permissions. I have recently had a lot of issues determining what acceptable file permissions should be. Please review to the forum post I created about this:


    No wordpress system should have folder permissions any higher than 755, and no file permissions higher than 644. If anyone tells you to use 777 for ANYTHING, it is purely because they don't understand about the use of phpsuexec. Do not exceed these permissions for anything. I suspect you had exceeded these permissions (whether you realised or not) in your installation and that is how you may have been hacked. There are many links from my link above with more information on permissions. Hope it helps!

  9. beccamarr
    Posted 7 years ago #

    My wp/content folder permission was already set to 727 and my file permission to 644

  10. dtclarinet
    Posted 7 years ago #

    I had the same problem. The trojan malware got into my PC and destroyed it. Luckily my Mac was less vulnerable, and by then I realized what was happening and changed my admin password and sql passwords. I also reinstalled the wordpress scripts. I discovered I had chmoded the admin folder to 777, I can't remember why, but I took it back to 755. Hopefully that took care of it.

    My domain is http://glitteringstew.com. The affected blog is http://glitteringstew.com/reed. If anyone with the skill could probe a bit and see if things look OK, I'd appreciate it.

    Any other suggestions?

    David Thomas

Topic Closed

This topic has been closed to new replies.

About this Topic