ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    WordPress Site Redirecting Sometimes to Hijacked Page

    Scheduled Pinned Locked Moved Solved IT Discussion
    wordpresssecurity
    52 Posts 9 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stacksofplates
      last edited by

      Here's the builtwith in case it helps:

      https://builtwith.com/fle.com

      1 Reply Last reply Reply Quote 0
      • S
        scottalanmiller @stacksofplates
        last edited by

        @stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

        So looking through developer tools I see a lot of "kanebo-cosmetics.co.jp", CSS files linked there.

        Can you search MariaDB (or MySQL) for that string?

        Search results come up blank 😞

        1 Reply Last reply Reply Quote 0
        • S
          stacksofplates
          last edited by

          The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.

          test.fle.com does work though ( I noticed a js file linked there).

          S 1 Reply Last reply Reply Quote 0
          • S
            stacksofplates
            last edited by

            So this is what it's trying to load. But the images aren't absolute paths so they don't work.

            http://www.kanebo-cosmetics.co.jp/

            1 Reply Last reply Reply Quote 0
            • S
              stacksofplates
              last edited by stacksofplates

              Also just to make sure. Amazon DNS looks ok?

              Eh nm. Stupid question.

              1 Reply Last reply Reply Quote 1
              • S
                stacksofplates
                last edited by

                Can you shut Apache down and use the Python simple http server to check that it isn't Apache?

                1 Reply Last reply Reply Quote 1
                • S
                  scottalanmiller @stacksofplates
                  last edited by

                  @stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

                  The fingerlakes.engineering redirected to fle.com with the junk. The fingerlakes.engineering IP goes to the site correctly. chillcon.com and it's IP is just spinning.

                  test.fle.com does work though ( I noticed a js file linked there).

                  This suggests that there is a detection script looking for those names and transforming things when they are present.

                  1 Reply Last reply Reply Quote 1
                  • S
                    stacksofplates
                    last edited by

                    I guess you could do a find and exec grep for that other other domain name.

                    Do all of the modules look normal? (Or whatever wordpress calls them).

                    S 1 Reply Last reply Reply Quote 1
                    • S
                      scottalanmiller @stacksofplates
                      last edited by

                      @stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

                      I guess you could do a find and exec grep for that other other domain name.

                      Do all of the modules look normal? (Or whatever wordpress calls them).

                      Seem normal to me. I've run scams on them, too.

                      G 1 Reply Last reply Reply Quote 0
                      • G
                        gjacobse @scottalanmiller
                        last edited by

                        @scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:

                        @stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

                        I guess you could do a find and exec grep for that other other domain name.

                        Do all of the modules look normal? (Or whatever wordpress calls them).

                        Seem normal to me. I've run scams on them, too.

                        scaMs or scaNs...

                        1 Reply Last reply Reply Quote 0
                        • A
                          Ambarishrh
                          last edited by

                          Is it still the case, i just browsed the site http://www.fle.com and looks like all pages are working fine!

                          1 Reply Last reply Reply Quote 0
                          • S
                            stacksofplates
                            last edited by

                            So after posting this in the wrong thread, I'll try again......

                            So upon further inspection, it looks like even if you go to the IP address for fle.com, everything is linked to test.fle.com. Here's a snippet of the index.html I get from visiting the IP address:

                            <title>  Finger Lakes Environmental</title>
                            
                            <link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental &raquo; Feed" href="http://test.fle.com/feed/" />
                            <link rel="alternate" type="application/rss+xml" title="Finger Lakes Environmental &raquo; Comments Feed" href="http://test.fle.com/comments/feed/" />
                            <meta property='og:site_name' content='Finger Lakes Environmental'/><meta property='og:url' content='http://test.fle.com/'/><meta property='og:title' content='Home'/><meta property='og:type' content='article'/>		<script type="text/javascript">
                            			window._wpemojiSettings = {"baseUrl":"http:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/test.fle.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.4"}};
                            			!function(a,b,c){function d(a){var c=b.createElement("canvas"),d=c.getContext&&c.getContext("2d");return d&&d.fillText?(d.textBaseline="top",d.font="600 32px Arial","flag"===a?(d.fillText(String.fromCharCode(55356,56812,55356,56807),0,0),c.toDataURL().length>3e3):(d.fillText(String.fromCharCode(55357,56835),0,0),0!==d.getImageData(16,16,1,1).data[0])):!1}function e(a){var c=b.createElement("script");c.src=a,c.type="text/javascript",b.getElementsByTagName("head")[0].appendChild(c)}var f,g;c.supports={simple:d("simple"),flag:d("flag")},c.DOMReady=!1,c.readyCallback=function(){c.DOMReady=!0},c.supports.simple&&c.supports.flag||(g=function(){c.readyCallback()},b.addEventListener?(b.addEventListener("DOMContentLoaded",g,!1),a.addEventListener("load",g,!1)):(a.attachEvent("onload",g),b.attachEvent("onreadystatechange",function(){"complete"===b.readyState&&c.readyCallback()})),f=c.source||{},f.concatemoji?e(f.concatemoji):f.wpemoji&&f.twemoji&&(e(f.twemoji),e(f.wpemoji)))}(window,document,window._wpemojiSettings);
                            		</script>
                            		<style type="text/css">
                            img.wp-smiley,
                            img.emoji {
                            	display: inline !important;
                            	border: none !important;
                            	box-shadow: none !important;
                            	height: 1em !important;
                            	width: 1em !important;
                            	margin: 0 .07em !important;
                            	vertical-align: -0.1em !important;
                            	background: none !important;
                            	padding: 0 !important;
                            }
                            </style>
                            <link rel='stylesheet' id='options_typography_Roboto-400-css'  href='https://fonts.googleapis.com/css?family=Roboto:400' type='text/css' media='all' />
                            <link rel='stylesheet' id='options_typography_Roboto-700-css'  href='https://fonts.googleapis.com/css?family=Roboto:700' type='text/css' media='all' />
                            <link rel='stylesheet' id='options_typography_Roboto+Slab-400-css'  href='https://fonts.googleapis.com/css?family=Roboto+Slab:400' type='text/css' media='all' />
                            <link rel='stylesheet' id='contact-form-7-css'  href='http://test.fle.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.3.1' type='text/css' media='all' />
                            <link rel='stylesheet' id='select2-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/select2.css?ver=4.3.4' type='text/css' media='all' />
                            <link rel='stylesheet' id='woocommerce-layout-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=2.4.10' type='text/css' media='all' />
                            <link rel='stylesheet' id='woocommerce-smallscreen-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=2.4.10' type='text/css' media='only screen and (max-width: 768px)' />
                            <link rel='stylesheet' id='woocommerce-general-css'  href='//test.fle.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=2.4.10' type='text/css' media='all' />
                            <link rel='stylesheet' id='mediaelement-css'  href='http://test.fle.com/wp-includes/js/mediaelement/mediaelementplayer.min.css?ver=2.17.0' type='text/css' media='all' />
                            <link rel='stylesheet' id='wp-mediaelement-css'  href='http://test.fle.com/wp-includes/js/mediaelement/wp-mediaelement.css?ver=4.3.4' type='text/css' media='all' />
                            <link rel='stylesheet' id='rgs-css'  href='http://test.fle.com/wp-content/themes/salient/css/rgs.css?ver=6.0.1' type='text/css' media='all' />
                            <link rel='stylesheet' id='font-awesome-css'  href='http://test.fle.com/wp-content/themes/salient/css/font-awesome.min.css?ver=4.3.4' type='text/css' media='all' />
                            <link rel='stylesheet' id='main-styles-css'  href='http://test.fle.com/wp-content/themes/salient/style.css?ver=6.0.1' type='text/css' media='all' />
                            <!--[if lt IE 9]>
                            <link rel='stylesheet' id='nectar-ie8-css'  href='http://test.fle.com/wp-content/themes/salient/css/ie8.css?ver=4.3.4' type='text/css' media='all' />
                            <![endif]-->
                            <link rel='stylesheet' id='responsive-css'  href='http://test.fle.com/wp-content/themes/salient/css/responsive.css?ver=6.0.1' type='text/css' media='all' />
                            <link rel='stylesheet' id='woocommerce-css'  href='http://test.fle.com/wp-content/themes/salient/css/woocommerce.css?ver=4.3.4' type='text/css' media='all' />
                            <link rel='stylesheet' id='js_composer_front-css'  href='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/css/js_composer.css?ver=4.7.4' type='text/css' media='all' />
                            <script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery.js?ver=1.11.3'></script>
                            <script type='text/javascript' src='http://test.fle.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script>
                            <script type='text/javascript'>
                            /* <![CDATA[ */
                            var wc_add_to_cart_params = {"ajax_url":"\/wp-admin\/admin-ajax.php","wc_ajax_url":"\/?wc-ajax=%%endpoint%%","i18n_view_cart":"View Cart","cart_url":"","is_cart":"","cart_redirect_after_add":"no"};
                            /* ]]> */
                            </script>
                            <script type='text/javascript' src='//test.fle.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=2.4.10'></script>
                            <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/js/vendors/woocommerce-add-to-cart.js?ver=4.7.4'></script>
                            <script type='text/javascript' src='http://test.fle.com/wp-content/themes/salient/js/modernizr.js?ver=2.6.2'></script>
                            <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/bower/progress-circle/ProgressCircle.js?ver=4.3.4' class='always'></script>
                            <script type='text/javascript' src='http://test.fle.com/wp-content/plugins/js_composer_salient/assets/lib/vc_chart/jquery.vc_chart.js?ver=4.3.4' class='always'></script>
                            <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://test.fle.com/xmlrpc.php?rsd" />
                            <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://test.fle.com/wp-includes/wlwmanifest.xml" /> 
                            
                            S 1 Reply Last reply Reply Quote 0
                            • S
                              stacksofplates
                              last edited by

                              What's in your index.php file?

                              S 1 Reply Last reply Reply Quote 1
                              • S
                                stacksofplates
                                last edited by

                                Also, what's in the header.php file of your salient theme?

                                1 Reply Last reply Reply Quote 0
                                • S
                                  scottalanmiller @stacksofplates
                                  last edited by

                                  @stacksofplates yes, the test site is a separate website on the same machine.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    scottalanmiller @stacksofplates
                                    last edited by

                                    @stacksofplates said in WordPress Site Redirecting Sometimes to Hijacked Page:

                                    What's in your index.php file?

                                    I've looked through it before and must have just been stupid. There it was, a URLDECODE right in the middle. That was it!

                                    1 Reply Last reply Reply Quote 5
                                    • 1
                                    • 2
                                    • 3
                                    • 2 / 3
                                    • First post
                                      Last post