Solved WordPress Site Redirecting Sometimes to Hijacked Page
-
Working on a customer WordPress instance that has been hijacked recently. Their previous IT had them host on AWS and run their own system and did not maintain it. So when we got it it was already hijacked and nothing was updated. Everything has been fixed in that arena and now we are trying to track down the issue.
What makes it hard is that the redirection to the other page only happens sometimes and only to some people. There isn't much consistency. The site, when it happens, redirects to a weird site in Japanese that doesn't load properly. So the hijack appears to be partial.
We are struggling to track down the redirect, though. It's not consistent and we can't find anything in the .htaccess files. We've failed to locate anything in the header files or anything. We have used Sucuri and similar scans and nothing has come up. And DNS looks clean.
Anyone have a good idea of where to start?
Pinging @irj specifically, as well. And @Mike-Davis as he's been working on it as well.
-
What's in your index.php file?
-
Gah, the dreaded random event diagnostic! I take it that the random redirect happens to everyone? Is it a site some other people could look at and reload just to see when/if it happens to them?
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
Gah, the dreaded random event diagnostic! I take it that the random redirect happens to everyone? Is it a site some other people could look at and reload just to see when/if it happens to them?
Nope, not to everyone. I went to the site via IP address first and so the redirect seems to never happen to me from my Linux laptop, regardless of browser. But my Linux terminal server sees the redirect.
-
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
Gah, the dreaded random event diagnostic! I take it that the random redirect happens to everyone? Is it a site some other people could look at and reload just to see when/if it happens to them?
Nope, not to everyone. I went to the site via IP address first and so the redirect seems to never happen to me from my Linux laptop, regardless of browser. But my Linux terminal server sees the redirect.
That's pretty interesting all on it's own. Cool problem
-
@MattSpeller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
Gah, the dreaded random event diagnostic! I take it that the random redirect happens to everyone? Is it a site some other people could look at and reload just to see when/if it happens to them?
Nope, not to everyone. I went to the site via IP address first and so the redirect seems to never happen to me from my Linux laptop, regardless of browser. But my Linux terminal server sees the redirect.
That's pretty interesting all on it's own. Cool problem
Yeah, when you're not the one that has to fix it!
-
@MattSpeller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
Gah, the dreaded random event diagnostic! I take it that the random redirect happens to everyone? Is it a site some other people could look at and reload just to see when/if it happens to them?
Nope, not to everyone. I went to the site via IP address first and so the redirect seems to never happen to me from my Linux laptop, regardless of browser. But my Linux terminal server sees the redirect.
That's pretty interesting all on it's own. Cool problem
LOL, yeah. VERY hard for me to confirm when things are broken or fixed. And at one point it acted fixed for everyone, so they all thought that it got fixed after I did tons of updates and cleanup.
-
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
-
And the previous company won't even respond.
-
Did you browse /var/www/html for random stuff??
If it is local, it is probably there.
Forget about WordPress piece for a minute.
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
Did you browse /var/www/html for random stuff??
If it is local, it is probably there.
Forget about WordPress piece for a minute.
There is only the wordpress folder in there and I've looked through it a bit.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
Well, that's gonna be fun to find
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
Well, that's gonna be fun to find
Welcome to my personal hell.
-
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
