Solved WordPress Site Redirecting Sometimes to Hijacked Page
-
I'm stumped, but still looking. Here is the site that we are struggling with. Let me know if anyone has any ideas.
I've tried converting it to static, but even that static plugin sees the hijacked data, not the original.
-
@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:
It definitely sounds like the scripts are in the database... 58k files does seem a bit high for a small site, but I've seen more.
It's autogenerating false pages so it just goes on forever.
-
@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:
Does the site redirect you to an IP address or an actual domain URL?
Neither. Not an actual redirect. Whatever bad is going on, it's hosted locally.
-
Apparently Google sees it also.
-
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
Yeah, but I don't see anything that would cause that to work the way that it does
-
Apache file looks normal...
-
So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.
Can you search MariaDB (or MySQL) for that string?
-
Here's the builtwith in case it helps:
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.
Can you search MariaDB (or MySQL) for that string?
Search results come up blank
-
The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.
test.fle.com does work though ( I noticed a js file linked there).
-
So this is what it's trying to load. But the images aren't absolute paths so they don't work.
-
Also just to make sure. Amazon DNS looks ok?
Eh nm. Stupid question.
-
Can you shut Apache down and use the Python simple http server to check that it isn't Apache?
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.
test.fle.com does work though ( I noticed a js file linked there).
This suggests that there is a detection script looking for those names and transforming things when they are present.
-
I guess you could do a find and exec grep for that other other domain name.
Do all of the modules look normal? (Or whatever wordpress calls them).
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I guess you could do a find and exec grep for that other other domain name.
Do all of the modules look normal? (Or whatever wordpress calls them).
Seem normal to me. I've run scams on them, too.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I guess you could do a find and exec grep for that other other domain name.
Do all of the modules look normal? (Or whatever wordpress calls them).
Seem normal to me. I've run scams on them, too.
scaMs or scaNs...
-
Is it still the case, i just browsed the site http://www.fle.com and looks like all pages are working fine!
-
So after posting this in the wrong thread, I'll try again......
So upon further inspection, it looks like even if you go to the IP address for fle.com, everything is linked to test.fle.com. Here's a snippet of the index.html I get from visiting the IP address:
<title> Finger Lakes Environmental</title> <link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental » Feed" href="http://test.fle.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental » Comments Feed" href="http://test.fle.com/comments/feed/" /> <meta property='og:site_name' content='Finger Lakes Environmental'/><meta property='og:url' content='http://test.fle.com/'/><meta property='og:title' content='Home'/><meta property='og:type' content='article'/> <script type="text/javascript"> window._wpemojiSettings = {"baseUrl":"http:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/test.fle.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.4"}}; !function(a,b,c){function d(a){var c=b.createElement("canvas"),d=c.getContext&&c.getContext("2d");return d&&d.fillText?(d.textBaseline="top",d.font="600 32px Arial","flag"===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f,g;c.supports={simple:d("simple"),flag:d("flag")},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",g,!1),a.addEventListener("load",g,!1)):(a.attachEvent("onload",g),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings); </script> <style type="text/css"> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='options_typography_Roboto-400-css' href='https://fonts.googleapis.com/css?family=Roboto:400' type='text/css' media='all' /> <link rel='stylesheet' id='options_typography_Roboto-700-css' href='https://fonts.googleapis.com/css?family=Roboto:700' type='text/css' media='all' /> <link rel='stylesheet' id='options_typography_Roboto+Slab-400-css' href='https://fonts.googleapis.com/css?family=Roboto+Slab:400' type='text/css' media='all' /> <link rel='stylesheet' id='contact-form-7-css' href='http://test.fle.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' /> <link rel='stylesheet' id='select2-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/select2.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='woocommerce-layout-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=2.4.10' type='text/css' media='all' /> <link rel='stylesheet' id='woocommerce-smallscreen-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=2.4.10' type='text/css' media='only screen and (max-width: 768px)' /> <link rel='stylesheet' id='woocommerce-general-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=2.4.10' type='text/css' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='http://test.fle.com/wp-includes/js/mediaelement/mediaelementplayer.min.css?ver=2.17.0' type='text/css' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='http://test.fle.com/wp-includes/js/mediaelement/wp-mediaelement.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='rgs-css' href='http://test.fle.com/wp-content/themes/salient/css/rgs.css?ver=6.0.1' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='http://test.fle.com/wp-content/themes/salient/css/font-awesome.min.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='main-styles-css' href='http://test.fle.com/wp-content/themes/salient/style.css?ver=6.0.1' type='text/css' media='all' /> <!--[if lt IE 9]> <link rel='stylesheet' id='nectar-ie8-css' href='http://test.fle.com/wp-content/themes/salient/css/ie8.css?ver=4.3.4' type='text/css' media='all' /> <![endif]--> <link rel='stylesheet' id='responsive-css' href='http://test.fle.com/wp-content/themes/salient/css/responsive.css?ver=6.0.1' type='text/css' media='all' /> <link rel='stylesheet' id='woocommerce-css' href='http://test.fle.com/wp-content/themes/salient/css/woocommerce.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='js_composer_front-css' href='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/css/js_composer.css?ver=4.7.4' type='text/css' media='all' /> <script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery.js?ver=1.11.3'></script> <script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script> <script type='text/javascript'> /* <![CDATA[ */ var wc_add_to_cart_params = {"ajax_url":"\/wp-admin\/admin-ajax.php","wc_ajax_url":"\/?wc-ajax=%%endpoint%%","i18n_view_cart":"View Cart","cart_url":"","is_cart":"","cart_redirect_after_add":"no"}; /* ]]> */ </script> <script type='text/javascript' src='//test.fle.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=2.4.10'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/js/vendors/woocommerce-add-to-cart.js?ver=4.7.4'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/themes/salient/js/modernizr.js?ver=2.6.2'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/bower/progress-circle/ProgressCircle.js?ver=4.3.4' class='always'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/vc_chart/jquery.vc_chart.js?ver=4.3.4' class='always'></script> <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://test.fle.com/xmlrpc.php?rsd" /> <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://test.fle.com/wp-includes/wlwmanifest.xml" />