WordPress Site Redirecting Sometimes to Hijacked Page

stacksofplates

Here's the builtwith in case it helps:

scottalanmiller

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.

Can you search MariaDB (or MySQL) for that string?

Search results come up blank

stacksofplates

The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.

test.fle.com does work though ( I noticed a js file linked there).

stacksofplates

So this is what it's trying to load. But the images aren't absolute paths so they don't work.

http://www.kanebo-cosmetics.co.jp/

stacksofplates

Also just to make sure. Amazon DNS looks ok?

Eh nm. Stupid question.

stacksofplates

Can you shut Apache down and use the Python simple http server to check that it isn't Apache?

scottalanmiller

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.

test.fle.com does work though ( I noticed a js file linked there).

This suggests that there is a detection script looking for those names and transforming things when they are present.

stacksofplates

I guess you could do a find and exec grep for that other other domain name.

Do all of the modules look normal? (Or whatever wordpress calls them).

scottalanmiller

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

I guess you could do a find and exec grep for that other other domain name.

Do all of the modules look normal? (Or whatever wordpress calls them).

Seem normal to me. I've run scams on them, too.

gjacobse

@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

I guess you could do a find and exec grep for that other other domain name.

Do all of the modules look normal? (Or whatever wordpress calls them).

Seem normal to me. I've run scams on them, too.

scaMs or scaNs...

Ambarishrh

Is it still the case, i just browsed the site http://www.fle.com and looks like all pages are working fine!

stacksofplates

So after posting this in the wrong thread, I'll try again......

So upon further inspection, it looks like even if you go to the IP address for fle.com, everything is linked to test.fle.com. Here's a snippet of the index.html I get from visiting the IP address:

<title>  Finger Lakes Environmental</title>

<link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental &raquo; Feed" href="http://test.fle.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental &raquo; Comments Feed" href="http://test.fle.com/comments/feed/" />
<meta property='og:site_name' content='Finger Lakes Environmental'/><meta property='og:url' content='http://test.fle.com/'/><meta property='og:title' content='Home'/><meta property='og:type' content='article'/>		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"http:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/test.fle.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.4"}};
			!function(a,b,c){function d(a){var c=b.createElement("canvas"),d=c.getContext&&c.getContext("2d");return d&&d.fillText?(d.textBaseline="top",d.font="600 32px Arial","flag"===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f,g;c.supports={simple:d("simple"),flag:d("flag")},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",g,!1),a.addEventListener("load",g,!1)):(a.attachEvent("onload",g),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
<link rel='stylesheet' id='options_typography_Roboto-400-css'  href='https://fonts.googleapis.com/css?family=Roboto:400' type='text/css' media='all' />
<link rel='stylesheet' id='options_typography_Roboto-700-css'  href='https://fonts.googleapis.com/css?family=Roboto:700' type='text/css' media='all' />
<link rel='stylesheet' id='options_typography_Roboto+Slab-400-css'  href='https://fonts.googleapis.com/css?family=Roboto+Slab:400' type='text/css' media='all' />
<link rel='stylesheet' id='contact-form-7-css'  href='http://test.fle.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' />
<link rel='stylesheet' id='select2-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/select2.css?ver=4.3.4' type='text/css' media='all' />
<link rel='stylesheet' id='woocommerce-layout-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=2.4.10' type='text/css' media='all' />
<link rel='stylesheet' id='woocommerce-smallscreen-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=2.4.10' type='text/css' media='only screen and (max-width: 768px)' />
<link rel='stylesheet' id='woocommerce-general-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=2.4.10' type='text/css' media='all' />
<link rel='stylesheet' id='mediaelement-css'  href='http://test.fle.com/wp-includes/js/mediaelement/mediaelementplayer.min.css?ver=2.17.0' type='text/css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='http://test.fle.com/wp-includes/js/mediaelement/wp-mediaelement.css?ver=4.3.4' type='text/css' media='all' />
<link rel='stylesheet' id='rgs-css'  href='http://test.fle.com/wp-content/themes/salient/css/rgs.css?ver=6.0.1' type='text/css' media='all' />
<link rel='stylesheet' id='font-awesome-css'  href='http://test.fle.com/wp-content/themes/salient/css/font-awesome.min.css?ver=4.3.4' type='text/css' media='all' />
<link rel='stylesheet' id='main-styles-css'  href='http://test.fle.com/wp-content/themes/salient/style.css?ver=6.0.1' type='text/css' media='all' />
<!--[if lt IE 9]>
<link rel='stylesheet' id='nectar-ie8-css'  href='http://test.fle.com/wp-content/themes/salient/css/ie8.css?ver=4.3.4' type='text/css' media='all' />
<![endif]-->
<link rel='stylesheet' id='responsive-css'  href='http://test.fle.com/wp-content/themes/salient/css/responsive.css?ver=6.0.1' type='text/css' media='all' />
<link rel='stylesheet' id='woocommerce-css'  href='http://test.fle.com/wp-content/themes/salient/css/woocommerce.css?ver=4.3.4' type='text/css' media='all' />
<link rel='stylesheet' id='js_composer_front-css'  href='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/css/js_composer.css?ver=4.7.4' type='text/css' media='all' />
<script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery.js?ver=1.11.3'></script>
<script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var wc_add_to_cart_params = {"ajax_url":"\/wp-admin\/admin-ajax.php","wc_ajax_url":"\/?wc-ajax=%%endpoint%%","i18n_view_cart":"View Cart","cart_url":"","is_cart":"","cart_redirect_after_add":"no"};
/* ]]> */
</script>
<script type='text/javascript' src='//test.fle.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=2.4.10'></script>
<script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/js/vendors/woocommerce-add-to-cart.js?ver=4.7.4'></script>
<script type='text/javascript' src='http://test.fle.com/wp-content/themes/salient/js/modernizr.js?ver=2.6.2'></script>
<script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/bower/progress-circle/ProgressCircle.js?ver=4.3.4' class='always'></script>
<script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/vc_chart/jquery.vc_chart.js?ver=4.3.4' class='always'></script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://test.fle.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://test.fle.com/wp-includes/wlwmanifest.xml" />

stacksofplates

What's in your index.php file?

stacksofplates

Also, what's in the header.php file of your salient theme?

scottalanmiller

@stacksofplates yes, the test site is a separate website on the same machine.

scottalanmiller

@stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

What's in your index.php file?

I've looked through it before and must have just been stupid. There it was, a URLDECODE right in the middle. That was it!

Solved WordPress Site Redirecting Sometimes to Hijacked Page