Solved WordPress Site Redirecting Sometimes to Hijacked Page
-
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I see the same thing. If I use IP address, it's fine. Hostname shows all of the junk.
Yeah, but I don't see anything that would cause that to work the way that it does
-
Apache file looks normal...
-
So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.
Can you search MariaDB (or MySQL) for that string?
-
Here's the builtwith in case it helps:
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.
Can you search MariaDB (or MySQL) for that string?
Search results come up blank
-
The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.
test.fle.com does work though ( I noticed a js file linked there).
-
So this is what it's trying to load. But the images aren't absolute paths so they don't work.
-
Also just to make sure. Amazon DNS looks ok?
Eh nm. Stupid question.
-
Can you shut Apache down and use the Python simple http server to check that it isn't Apache?
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.
test.fle.com does work though ( I noticed a js file linked there).
This suggests that there is a detection script looking for those names and transforming things when they are present.
-
I guess you could do a find and exec grep for that other other domain name.
Do all of the modules look normal? (Or whatever wordpress calls them).
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I guess you could do a find and exec grep for that other other domain name.
Do all of the modules look normal? (Or whatever wordpress calls them).
Seem normal to me. I've run scams on them, too.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
I guess you could do a find and exec grep for that other other domain name.
Do all of the modules look normal? (Or whatever wordpress calls them).
Seem normal to me. I've run scams on them, too.
scaMs or scaNs...
-
Is it still the case, i just browsed the site http://www.fle.com and looks like all pages are working fine!
-
So after posting this in the wrong thread, I'll try again......
So upon further inspection, it looks like even if you go to the IP address for fle.com, everything is linked to test.fle.com. Here's a snippet of the index.html I get from visiting the IP address:
<title> Finger Lakes Environmental</title> <link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental » Feed" href="http://test.fle.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental » Comments Feed" href="http://test.fle.com/comments/feed/" /> <meta property='og:site_name' content='Finger Lakes Environmental'/><meta property='og:url' content='http://test.fle.com/'/><meta property='og:title' content='Home'/><meta property='og:type' content='article'/> <script type="text/javascript"> window._wpemojiSettings = {"baseUrl":"http:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/test.fle.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.4"}}; !function(a,b,c){function d(a){var c=b.createElement("canvas"),d=c.getContext&&c.getContext("2d");return d&&d.fillText?(d.textBaseline="top",d.font="600 32px Arial","flag"===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f,g;c.supports={simple:d("simple"),flag:d("flag")},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",g,!1),a.addEventListener("load",g,!1)):(a.attachEvent("onload",g),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings); </script> <style type="text/css"> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='options_typography_Roboto-400-css' href='https://fonts.googleapis.com/css?family=Roboto:400' type='text/css' media='all' /> <link rel='stylesheet' id='options_typography_Roboto-700-css' href='https://fonts.googleapis.com/css?family=Roboto:700' type='text/css' media='all' /> <link rel='stylesheet' id='options_typography_Roboto+Slab-400-css' href='https://fonts.googleapis.com/css?family=Roboto+Slab:400' type='text/css' media='all' /> <link rel='stylesheet' id='contact-form-7-css' href='http://test.fle.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' /> <link rel='stylesheet' id='select2-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/select2.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='woocommerce-layout-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=2.4.10' type='text/css' media='all' /> <link rel='stylesheet' id='woocommerce-smallscreen-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=2.4.10' type='text/css' media='only screen and (max-width: 768px)' /> <link rel='stylesheet' id='woocommerce-general-css' href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=2.4.10' type='text/css' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='http://test.fle.com/wp-includes/js/mediaelement/mediaelementplayer.min.css?ver=2.17.0' type='text/css' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='http://test.fle.com/wp-includes/js/mediaelement/wp-mediaelement.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='rgs-css' href='http://test.fle.com/wp-content/themes/salient/css/rgs.css?ver=6.0.1' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='http://test.fle.com/wp-content/themes/salient/css/font-awesome.min.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='main-styles-css' href='http://test.fle.com/wp-content/themes/salient/style.css?ver=6.0.1' type='text/css' media='all' /> <!--[if lt IE 9]> <link rel='stylesheet' id='nectar-ie8-css' href='http://test.fle.com/wp-content/themes/salient/css/ie8.css?ver=4.3.4' type='text/css' media='all' /> <![endif]--> <link rel='stylesheet' id='responsive-css' href='http://test.fle.com/wp-content/themes/salient/css/responsive.css?ver=6.0.1' type='text/css' media='all' /> <link rel='stylesheet' id='woocommerce-css' href='http://test.fle.com/wp-content/themes/salient/css/woocommerce.css?ver=4.3.4' type='text/css' media='all' /> <link rel='stylesheet' id='js_composer_front-css' href='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/css/js_composer.css?ver=4.7.4' type='text/css' media='all' /> <script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery.js?ver=1.11.3'></script> <script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script> <script type='text/javascript'> /* <![CDATA[ */ var wc_add_to_cart_params = {"ajax_url":"\/wp-admin\/admin-ajax.php","wc_ajax_url":"\/?wc-ajax=%%endpoint%%","i18n_view_cart":"View Cart","cart_url":"","is_cart":"","cart_redirect_after_add":"no"}; /* ]]> */ </script> <script type='text/javascript' src='//test.fle.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=2.4.10'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/js/vendors/woocommerce-add-to-cart.js?ver=4.7.4'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/themes/salient/js/modernizr.js?ver=2.6.2'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/bower/progress-circle/ProgressCircle.js?ver=4.3.4' class='always'></script> <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/vc_chart/jquery.vc_chart.js?ver=4.3.4' class='always'></script> <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://test.fle.com/xmlrpc.php?rsd" /> <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://test.fle.com/wp-includes/wlwmanifest.xml" />
-
What's in your index.php file?
-
Also, what's in the header.php file of your salient theme?
-
@stacksofplates yes, the test site is a separate website on the same machine.
-
@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:
What's in your index.php file?
I've looked through it before and must have just been stupid. There it was, a URLDECODE right in the middle. That was it!