Solved WordPress Site Redirecting Sometimes to Hijacked Page
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
Did you browse /var/www/html for random stuff??
If it is local, it is probably there.
Forget about WordPress piece for a minute.
There is only the wordpress folder in there and I've looked through it a bit.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
Well, that's gonna be fun to find
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
Well, that's gonna be fun to find
Welcome to my personal hell.
-
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
It only loads the same page names that are correct for me. Can't find any bad page name. And it is only one page, every link on the bad page points to the main site.
-
This is going to take a while...
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
It only loads the same page names that are correct for me. Can't find any bad page name. And it is only one page, every link on the bad page points to the main site.
The bad page does not have any images or anything else that you could get the file names of their local resources to try and find?
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
It only loads the same page names that are correct for me. Can't find any bad page name. And it is only one page, every link on the bad page points to the main site.
The bad page does not have any images or anything else that you could get the file names of their local resources to try and find?
No images, all image links point back to the URL of the site we are on. Can't find any resource on it. Nothing but text loads, and it only comes up when you go to the default page.
-
@scottalanmiller back it up nuke it from orbit, install clean. Install the back up on some temporary service and copy paste the text and shit over
-
THis is ridiculous, this is actually a tiny site...
-
Try migrating the site to a new host first since this is the easiest step. It probably won't resolve the issue, but it is worth a shot. You will use the backup in your next troubleshooting step anyway (see below)
Create a backup using Updraft Plus. Updraft will create individual backups for the database, uploads, plugins, etc.
Once your backup is complete build another empty wordpress site. Then restore just the DB. The DB will have the wrong URL, but Updraft Plus has a premium feature called the migrator. This will automatically update all the old URLs to reflect the new domain name.
With just the DB loaded see if you are still getting redirected. If you are, then you have a serious issue, but the good news is not all is lost since you can export pages, and you already have a backup of uploads, plugins, etc.
-
It definitely sounds like the scripts are in the database... 58k files does seem a bit high for a small site, but I've seen more.
Does the site redirect you to an IP address or an actual domain URL?
search the database for script tags, eval( or eval ( ... or the IP address / hostname that you are being redirected to.
Depending on your Wordpress install, eval( and eval ( will generate a lot of false positives.
-
I'm stumped, but still looking. Here is the site that we are struggling with. Let me know if anyone has any ideas.
I've tried converting it to static, but even that static plugin sees the hijacked data, not the original.
-
@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:
It definitely sounds like the scripts are in the database... 58k files does seem a bit high for a small site, but I've seen more.
It's autogenerating false pages so it just goes on forever.
-
@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:
Does the site redirect you to an IP address or an actual domain URL?
Neither. Not an actual redirect. Whatever bad is going on, it's hosted locally.
-
Apparently Google sees it also.
-
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
Yeah, but I don't see anything that would cause that to work the way that it does
-
Apache file looks normal...
-
So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.
Can you search MariaDB (or MySQL) for that string?