Solved WordPress Site Redirecting Sometimes to Hijacked Page
-
@scottalanmiller back it up nuke it from orbit, install clean. Install the back up on some temporary service and copy paste the text and shit over
-
THis is ridiculous, this is actually a tiny site...
-
Try migrating the site to a new host first since this is the easiest step. It probably won't resolve the issue, but it is worth a shot. You will use the backup in your next troubleshooting step anyway (see below)
Create a backup using Updraft Plus. Updraft will create individual backups for the database, uploads, plugins, etc.
Once your backup is complete build another empty wordpress site. Then restore just the DB. The DB will have the wrong URL, but Updraft Plus has a premium feature called the migrator. This will automatically update all the old URLs to reflect the new domain name.
With just the DB loaded see if you are still getting redirected. If you are, then you have a serious issue, but the good news is not all is lost since you can export pages, and you already have a backup of uploads, plugins, etc.
-
It definitely sounds like the scripts are in the database... 58k files does seem a bit high for a small site, but I've seen more.
Does the site redirect you to an IP address or an actual domain URL?
search the database for script tags, eval( or eval ( ... or the IP address / hostname that you are being redirected to.
Depending on your Wordpress install, eval( and eval ( will generate a lot of false positives.
-
I'm stumped, but still looking. Here is the site that we are struggling with. Let me know if anyone has any ideas.
I've tried converting it to static, but even that static plugin sees the hijacked data, not the original.
-
@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:
It definitely sounds like the scripts are in the database... 58k files does seem a bit high for a small site, but I've seen more.
It's autogenerating false pages so it just goes on forever.
-
@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:
Does the site redirect you to an IP address or an actual domain URL?
Neither. Not an actual redirect. Whatever bad is going on, it's hosted locally.
-
Apparently Google sees it also.
-
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
Yeah, but I don't see anything that would cause that to work the way that it does
-
Apache file looks normal...
-
So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.
Can you search MariaDB (or MySQL) for that string?
-
Here's the builtwith in case it helps:
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.
Can you search MariaDB (or MySQL) for that string?
Search results come up blank
-
The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.
test.fle.com does work though ( I noticed a js file linked there).
-
So this is what it's trying to load. But the images aren't absolute paths so they don't work.
-
Also just to make sure. Amazon DNS looks ok?
Eh nm. Stupid question.
-
Can you shut Apache down and use the Python simple http server to check that it isn't Apache?
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.
test.fle.com does work though ( I noticed a js file linked there).
This suggests that there is a detection script looking for those names and transforming things when they are present.
-
I guess you could do a find and exec grep for that other other domain name.
Do all of the modules look normal? (Or whatever wordpress calls them).