WordPress Virus Redirects Links from Facebook & Google (5 posts)

  1. aquah20
    Posted 4 years ago #

    The site is http://www.jpshealthandfitness.com.au/blog/.
    When you enter the site directly into the address bar it works fine. However, when clicking on a link from facebook or google search results it redirects to a random domain that changes each time.
    It's unusual because the links work for some but not others.

    I get the feeling it could be malware but I'm not sure where to start. Has anyone experienced this before and knows how to fix it?

    Thank-you in advance.

  2. schoonie23
    Posted 3 years ago #

    I am having this same exact issue. I am hesitant to launch my website because of it.

    When I click on the link from Google or Facebook, users are redirected to: http://aozpta.mrbonus.com/. But then if I click on the link from Twitter, users are directed to my actual site (http://stellarsoundandmedia.com/).

    When I go to http://mrbonus.com/, I see it's a Dynamic DNS redirect site. I assume this is used to mask the whois record, so the culprit can't be caught. So it seems someone has adjusted DNS settings to inject redirects in our websites. Unfortunately I haven't been able to determine where this redirect is taking place. I've looked at my .htacess file, but everything looks fine.

    Does anyone else have any ideas?

  3. redleg-too
    Posted 3 years ago #

    Redirects to aozpta .mrbonus . com are typically done using a b1t of obfuscated php code. The line of code will start out

    eval(base64_decode('DQplcnJvcl9yZXBvcnRpbmcoMCk7DQ ..........

    the string of seemingly random characters will be pretty long. Check your homepage, common files such as headers/footers, themes plugins and so on fro something like that.

  4. esmi
    Forum Moderator
    Posted 3 years ago #

  5. perezbox
    Sucuri.net CEO
    Posted 3 years ago #


    Don't know i you still have this issue, but this is pretty common conditional malware - the condition is waiting for the Facebook referrer then redirecting.

    redleg talks to eval(base64 etc.. type stuff which is one type, but you might also want to look for things like this.

    Here is an example of what I mean: http://blog.sucuri.net/2012/06/understanding-conditional-malware-ip-centric-variation.html

    Understand that this example is not often obfuscated.


Topic Closed

This topic has been closed to new replies.

About this Topic