Sometimes when people click onto my website http://www.rebeccamarrphotography.com it is redirecting to a site ya.ru. When you try to go back to my site, it won’t load and at the bottom it says it is trying to load http://www.sum4count.net.
Could someone have hacked my site? Have I done something wrong? Has anyone else seen this?
You are also distributing a virus. JS/Downloader.Agent. It is apparent that your site or your host has suffered a compromise of some sort. Your hosting service may be able to provide guidance.
I have disabled my pages and contacted my host. Do you recommend anything else for me?
Without knowing the history of your blog… updates, file permissions, prior possible sources of entry, vulnerable plugins and or corrupted themes, etc… my advice would be to review any recent changes you may have made, including all of the above items. Examine your source code for anything you don’t expect to be there. Perhaps download a backup copy of your files and inspect for anything out of the ordinary, as well as reviewing your database for users or data that should not be there. Review your log files for suspicious activity if possible, and lastly perhaps seek help from someone with experience in resolving these matters. It seems odd that I was not redirected on every visit, nor was I accosted by the JS Downloader on every visit. Your site behaved normally in fact, on several visits. I had hoped to catch the offending script in action again if possible, but I did not. Do some searching on related terms and see if anything rings a bell. It would be my hope that your host could offer some supporting advice, or perhaps someone here can assist you in a more productive direction. Best of luck to you.
[EDIT] a quick google search of sum4count.net had a ton of hits, and it is identified as malicious and a distributor of malware.
Here is a quick whois on the domain.
(shiver)… I don’t think I would visit the address (sum4count.net), just to be safe.
I was looking at a cached page of your site in google, and there appears to be a an odd script immediately after the opening <body> and again immediately prior to the closing </body> tags in your source code. Perhaps I just don’t know what I am seeing, but it looks odd to me.
both of these scripts have an authors note of: <!– higherministries.com –> added to them.
Oddly enough, when I google “higherministries.com”, the AVG threat advisor on the machine I am working at reports this:
“Dangerous: This page contains active threats.
Risk Category: Exploit
Risk Name: WebAttacker
Explanation: This appears to be the WebAttacker exploit package.”
…As it also does when I check your URI. I hope some part of this helps in some way.
Would you mind taking another look to see if the problem is corrected now? Higherministries.com is my husband’s website on my same server. He has a wordpress.org blog but his site is created through another program. I’m not getting much help from my hosting company as their best advice was to download antivirus to my computer, download everything from my server to my computer and then run a scan.
I had someone remove the odd code and I’ve changed all of my passwords. I’m hoping the problem is behind me. I just wish I knew if the hack was through my server or my wordpress account.
You should definitely review all of your file permissions. I have recently had a lot of issues determining what acceptable file permissions should be. Please review to the forum post I created about this:
No wordpress system should have folder permissions any higher than 755, and no file permissions higher than 644. If anyone tells you to use 777 for ANYTHING, it is purely because they don’t understand about the use of phpsuexec. Do not exceed these permissions for anything. I suspect you had exceeded these permissions (whether you realised or not) in your installation and that is how you may have been hacked. There are many links from my link above with more information on permissions. Hope it helps!
My wp/content folder permission was already set to 727 and my file permission to 644
I had the same problem. The trojan malware got into my PC and destroyed it. Luckily my Mac was less vulnerable, and by then I realized what was happening and changed my admin password and sql passwords. I also reinstalled the wordpress scripts. I discovered I had chmoded the admin folder to 777, I can’t remember why, but I took it back to 755. Hopefully that took care of it.
Any other suggestions?
- The topic ‘my site is redirecting to an unknown url’ is closed to new replies.