27.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

05-01-2013, 12:11 PM
Post: #1
Wordpress Blog redirecting to different websites
<body class="home blog logged-in admin-bar sn-c-sw customize-support">


<div id="fb9735872" style="display:none;">


</div><div style="position:absolute; top:-99999px;">
<a href="http://www.nailpolishrack.me/nail-polish-wall-racks/" title="Nail Polish Wall Rack"><h1>Nail Polish Wall Rack</h1></a>
<a href="http://www.emergencylightsunlimited.com/police-lights.html" title="Police Lights"><h1>Police Lights</h1></a>
<a href="http://www.rentacarcouponcodes.com/" title="Hertz Coupon Code"><h1>Hertz Coupon Code</h1></a>
<a href="http://showmoviesonline.net/" title="Watch free movies online"><h1>Watch free movies Online</h1></a>
<a href="http://showmoviesonline.net/movies" title="Watch Movies Online"><h1>Watch Movies Online</h1></a>
<a href="http://showmoviesonline.net/tv-shows" title="Watch TV Shows Online"><h1>Watch TV Shows Online</h1></a>
<a href="http://www.gel-nailpolish.com" title="Gel Nail Polish"><h1>Gel Nail Polish</h1></a>
<a href="http://www.gel-nailpolish.com/opi" title="OPI Nail Polish"><h1>OPI Nail Polish</h1></a>
<a href="http://www.nailpolishrack.me/" title="Nail Polish Rack"><h1>Nail Polish Rack</h1></a>




[font=Consolas, Lucida Console, monospace]This is in the code on my blog and its been redirecting me to braffic.com and now my site has random pop up ads, anyone know what this is and how i can get rid of it. Could it be the theme? or a plug in?[/font]
05-01-2013, 12:13 PM (This post was last modified: 05-01-2013 12:15 PM by webimp.)
Post: #2
RE:
Try using security plugins, you may have infected plug or theme.
deactivate plugins on at a time find infect.
05-01-2013, 01:18 PM
Post: #3
RE:
Sounds like you have an infected theme or plugin, these wordpress plugins might help you find the culprit

http://wordpress.org/extend/plugins/exploit-scanner/

http://wordpress.org/extend/plugins/tac/

http://wordpress.org/extend/plugins/wp-p...ity-check/
05-01-2013, 02:16 PM
Post: #4
RE:
Head injection.
05-01-2013, 03:35 PM
Post: #5
RE:
More than likely, the method they used to get into your wordpress site, is due to the TimThumb exploit. It is an image caching script, used by a lot of Wordpress themes and plugins! You can find the latest timthumb code posted on Google's code repository. You find any/all timthumb.php files in your site and replace their source code with the one Google has for it. Once you have patched the timthumb's, clear it's cache, which is usually a "temp" or "cache" folder located in the same directory as the timthumb script. They probably have a backdoor or injection script in there, masked as an image. So just delete them all (except for a .htaccess file if you have one in there). Once patched, and injection site cleaned... search your entire site, folder by folder, looking for suspicious files. They will normally place a backdoor, hidden deep in your site so they can get back in at any time later. They can control almost everything from there lol, or reverse connect and control your server through SSH. Possibly find a local root exploit, and "root" your server.. Meaning hack to root user, and own the server lol.

Also have your host (if you don't know how) to search the upper directories for backdoors, signs up exploit uploads, perl script, back-connects, bind scripts, anything that a hacker could put on there.. Usually they move to the servers tmp directory, create a folder named "." so you may overlook it, and do all their hacking in there.

There are scripts to run both for wordpress and for linux servers. Your server may be sitting on some kids "IRC" lol
48.gif
05-01-2013, 03:39 PM
Post: #6
RE:
Oh.. and cleanup the injected code from the php files.. Sometimes they only inject within a specific folder, other times its a mess and in EVERY php file in the user's path!

There are some commands, and scripts, to search for the base64 encode "injection" code.. I had a mess because it ruined a chunk of php files in the process.. I think it was mainly, legit encoded scripts, it got confused.. so an automated script may not be the way to go... use SSH and connect to the box.. there is a command to search for all php files that contain "xxxxx" where xxxx is the injection code sample (not all of it lol).. You get a list of ALL the infected files, print the list out.. and go to each one and remove the injection.. Most reliable way.. Sucks when you have a dozen sites under 1 cpanel user or something, and theres literally THOUSANDS to clean up, so a script would be maybe better and cleanup any broken sites/code afterwards? This is exactly why I don't put anymore than 2-3 domains on 1 cpanel account. I login to WHM, create a new user and run 2-3 on it.. usually they only can access the user's account when they get in, keeping all your other sites on different accounts safe...
05-02-2013, 04:27 AM
Post: #7
RE:
(05-01-2013 03:35 PM)CyberPunk Wrote:  More than likely, the method they used to get into your wordpress site, is due to the TimThumb exploit. It is an image caching script, used by a lot of Wordpress themes and plugins! You can find the latest timthumb code posted on Google's code repository. You find any/all timthumb.php files in your site and replace their source code with the one Google has for it. Once you have patched the timthumb's, clear it's cache, which is usually a "temp" or "cache" folder located in the same directory as the timthumb script. They probably have a backdoor or injection script in there, masked as an image. So just delete them all (except for a .htaccess file if you have one in there). Once patched, and injection site cleaned... search your entire site, folder by folder, looking for suspicious files. They will normally place a backdoor, hidden deep in your site so they can get back in at any time later. They can control almost everything from there lol, or reverse connect and control your server through SSH. Possibly find a local root exploit, and "root" your server.. Meaning hack to root user, and own the server lol.

Also have your host (if you don't know how) to search the upper directories for backdoors, signs up exploit uploads, perl script, back-connects, bind scripts, anything that a hacker could put on there.. Usually they move to the servers tmp directory, create a folder named "." so you may overlook it, and do all their hacking in there.

There are scripts to run both for wordpress and for linux servers. Your server may be sitting on some kids "IRC" lol
Thanks for sharing this info
[Image: ban8.jpg]
05-02-2013, 04:38 PM
Post: #8
RE:
WP_indexer nulled ,I met the same problem
05-03-2013, 02:15 AM
Post: #9
RE:
what i found is that i downloaded UberMenu from someone here and it put that code in my header, now my website keeps redirecting to this stupid ass braffic.com website and im getting popups. This is really annoying and its killing my sites traffic, so I'm just gonna pay for the UberMenu hopefully that will stop the redirects
05-04-2013, 12:13 AM
Post: #10
RE:
ok so in the UberMenu files we found some code injected in a php-file called "TipTour.class.php". This file is included in the plugin "Uber Menu".

In the file, a function named wp__head() was injected which injects some javascript into the "<head>" of your page. If any of you know how to remove the injected code, let me know, You should look for a function named "wp__head". It uses cURL to query the website "jqury.net", so you should be able to search for that.

In my case, it was only the "TipTour.class.php"-file that was infected.
23.gif




71.gif