I am having this same exact issue. I am hesitant to launch my website because of it.
When I click on the link from Google or Facebook, users are redirected to: http://aozpta.mrbonus.com/. But then if I click on the link from Twitter, users are directed to my actual site (http://stellarsoundandmedia.com/).
When I go to http://mrbonus.com/, I see it’s a Dynamic DNS redirect site. I assume this is used to mask the whois record, so the culprit can’t be caught. So it seems someone has adjusted DNS settings to inject redirects in our websites. Unfortunately I haven’t been able to determine where this redirect is taking place. I’ve looked at my .htacess file, but everything looks fine.
Does anyone else have any ideas?
Redirects to aozpta .mrbonus . com are typically done using a b1t of obfuscated php code. The line of code will start out
eval(base64_decode(‘DQplcnJvcl9yZXBvcnRpbmcoMCk7DQ ……….
the string of seemingly random characters will be pretty long. Check your homepage, common files such as headers/footers, themes plugins and so on fro something like that.
Hi
Don’t know i you still have this issue, but this is pretty common conditional malware – the condition is waiting for the Facebook referrer then redirecting.
redleg talks to eval(base64 etc.. type stuff which is one type, but you might also want to look for things like this.
Here is an example of what I mean: http://blog.sucuri.net/2012/06/understanding-conditional-malware-ip-centric-variation.html
Understand that this example is not often obfuscated.
Cheers
