Solved WordPress Site Redirecting Sometimes to Hijacked Page

scottalanmiller

@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:

@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:

@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:

@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?

It only loads the same page names that are correct for me. Can't find any bad page name. And it is only one page, every link on the bad page points to the main site.

The bad page does not have any images or anything else that you could get the file names of their local resources to try and find?

No images, all image links point back to the URL of the site we are on. Can't find any resource on it. Nothing but text loads, and it only comes up when you go to the default page.

JaredBusch

@scottalanmiller back it up nuke it from orbit, install clean. Install the back up on some temporary service and copy paste the text and shit over

scottalanmiller

THis is ridiculous, this is actually a tiny site...

IRJ

Try migrating the site to a new host first since this is the easiest step. It probably won't resolve the issue, but it is worth a shot. You will use the backup in your next troubleshooting step anyway (see below)

Create a backup using Updraft Plus. Updraft will create individual backups for the database, uploads, plugins, etc.

Once your backup is complete build another empty wordpress site. Then restore just the DB. The DB will have the wrong URL, but Updraft Plus has a premium feature called the migrator. This will automatically update all the old URLs to reflect the new domain name.

With just the DB loaded see if you are still getting redirected. If you are, then you have a serious issue, but the good news is not all is lost since you can export pages, and you already have a backup of uploads, plugins, etc.

dafyre

It definitely sounds like the scripts are in the database... 58k files does seem a bit high for a small site, but I've seen more.

Does the site redirect you to an IP address or an actual domain URL?

search the database for script tags, eval( or eval ( ... or the IP address / hostname that you are being redirected to.

Depending on your Wordpress install, eval( and eval ( will generate a lot of false positives.

scottalanmiller

I'm stumped, but still looking. Here is the site that we are struggling with. Let me know if anyone has any ideas.

www.fle.com

I've tried converting it to static, but even that static plugin sees the hijacked data, not the original.

scottalanmiller

@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:

It definitely sounds like the scripts are in the database... 58k files does seem a bit high for a small site, but I've seen more.

It's autogenerating false pages so it just goes on forever.

scottalanmiller

@dafyre said in WordPress Site Redirecting Sometimes to Hijacked Page:

Does the site redirect you to an IP address or an actual domain URL?

Neither. Not an actual redirect. Whatever bad is going on, it's hosted locally.

stacksofplates

Apparently Google sees it also.

stacksofplates

I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.

scottalanmiller

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.

Yeah, but I don't see anything that would cause that to work the way that it does

scottalanmiller

Apache file looks normal...

stacksofplates

So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.

Can you search MariaDB (or MySQL) for that string?

stacksofplates

Here's the builtwith in case it helps:

https://builtwith.com/fle.com

scottalanmiller

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.

Can you search MariaDB (or MySQL) for that string?

Search results come up blank

stacksofplates

The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.

test.fle.com does work though ( I noticed a js file linked there).

stacksofplates

So this is what it's trying to load. But the images aren't absolute paths so they don't work.

http://www.kanebo-cosmetics.co.jp/

stacksofplates

Also just to make sure. Amazon DNS looks ok?

Eh nm. Stupid question.

stacksofplates

Can you shut Apache down and use the Python simple http server to check that it isn't Apache?

scottalanmiller

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.

test.fle.com does work though ( I noticed a js file linked there).

This suggests that there is a detection script looking for those names and transforming things when they are present.