WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Site Redirects To Porn On iPad (8 posts)

  1. robnilas
    Member
    Posted 9 months ago #

    Hi
    How are things today? I hope all is going well...

    I am start getting a bit of problem with some redirect on devices[ipad,iphone,android] to a porn site[look like a porn version of intagram...], that happen normally the 1st time that you visit the site...

    I have found some extra <?php code on index.php, header.php, and functions.php very similar to this:

    from Just MOE
    Encoded Launch Code embedded in your PHP pages (variables are different on each page, so search for the "<?php (and 20+ spaces)"
    http://ideone.com/73pfAL

    Decoded Hack
    http://ideone.com/MEg3wO

    I have use wordfence to found the infected files, but the problem still there... I have check all the .htaccess files and looks clean. I have run the site on Sucuri and show clean of malware...

    Is anyone has/got the some problem and know how to clean it?

    All the best,

  2. Mark (podz)
    Support Maven
    Posted 9 months ago #

    Did you follow all of these steps?
    http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. Dave Naylor
    Member
    Posted 9 months ago #

    I deloused a system last week that had this particular infection. It seemed to restrict itself to files inside wp-content/ other than the wp-config.php file. It was attracted to many files named index.php as well as several theme and plugin files

    I noticed that the infected files were all over 24K in size so I ran the linux find command to find files over that size and piped the resulting files to less, ignoring image files:

    find . -type f -name "*.php" \( ! -name "*.png" -a ! -name "*.jpg" -a ! -name "*.mo" \) -size +24k -exec less {} \;

    I ran a few variations on the file extension just to be sure.

    I also found the files with the name ".. " which you could easily miss. Again I used find to find them :)

    find . -type f -name ".. "

    I also ran diff checks over themes, plugins and core files to see if there were any changes anywhere else.

  4. robnilas
    Member
    Posted 9 months ago #

    @Mark (podz) Thanks, I will have a look at those points...

    @Dave Naylor you are right there, I forgot about the file ".." in the root and I have found the php code not only on the wp installation too... how you have clean it?.. just deleting the line 1 of the file infected?... Have you found any backdoor or the main source?

  5. Dave Naylor
    Member
    Posted 9 months ago #

    I replaced any files I found with clean originals. I also replaced every WordPress core file and re-did the wp-config files.

    As for the ".. " files, note the space at the third character.

  6. Daniel Cid
    Sucuri.net Support
    Posted 9 months ago #

    @robnilas: What is the site in case? Can you send it over (even if in private)? I would love to take a look and see why our sitecheck scanner missed it.

    thanks,

  7. robnilas
    Member
    Posted 9 months ago #

    @daniel to protect the client id I have send you a private msg to your username...

  8. robnilas
    Member
    Posted 9 months ago #

    @Dave THANKS for the help!! I have done most of that, but I was missing the "re-did the wp-config" ...

Reply

You must log in to post.

About this Topic