Malware on link somehow redirects to another site

Malware was cleaned not long ago from my site, but we seem to have a redirect to a porn site happening whenever someone clicks on the Ladders link on the home page, this only happens if you're not logged into the site at all.

  • Chris
    • WPMU DEV Initiate

    So a quick update on this ticket. I did some more testing and manually browsed through many plugins and so on. I noticed a php file in the wp-mu folder within wp-content directory that looked suspicious. Upon opening this file I noticed that there was some dodgy code.
    Removal of this code seems to have stopped the redirect from occurring. For those that may be interested in seeing what the code contents were can be found on pastebin - https://pastebin.com/YSEZ4UCV

    This is the first time I have come across a file like this myself, has anybody else ever seen anything similar to this?

    From what I can make out it seems to be creating an array then adding these array values to the "http://" . $_SERVER["HTTP_HOST"] . substr($fqeboliy, strlen($zlmityqxz)); which I believe is a header rewrite?

    So far the removal of this file from the server seems to have stopped the redirects but will carry on testing the site to make sure.

    • Chris
      • WPMU DEV Initiate

      Hi Ash, as my previous comment stated I found a file in the wp-mu folder (WordPress Must Use folder) which had some dodgy code. From what I can see, the redirects seems to have stopped since I removed this specific file from the server.
      The redirects were happening more via google search of the website rather than directly within (the redirect was only occurring when accessing the ladders category of the site)

      Kind Regards
      Chris

  • Kris
    • Support

    Hi Chris

    Glad you sort this out :slight_smile: Still we recommend after this situations change wordpress and FTP passwords. Also scan you PC and any other admin user PC which have access to this site and FTP.

    I also notice you use our Defender plugin, but masking login area is not active there, we also recommend to protect login area against bots scanning the site.

    Kind Regards,
    Kris

    • Chris
      • WPMU DEV Initiate

      Hi Kris,

      We decided that we will wipe the server and recover the site via backups. We did not setup the current VPS, but it seems a bit chaotic with how it was setup. They used EasyEngine for the hosting platform and I am not very happy with how this is setup up.
      For sure once this has been completed I will be taking your advice on board regarding the masked login area.
      There is no FTP access, on server, only SSH key access but will do a scan on the workstations as well as my office and other locations to be sure.
      Thank you very much for your recommendation, I will mark this issue as solved as it seems that the redirect issue has now been sorted.
      Kind Regards

      Chris

      • Jack Alltrade
        • Just A Community Member

        I've had a few clients that had this happen, easiest fix is to wipe everything except media directory, then reinstall all WordPress, theme, and plugin files from clean or new copies.

        Afterwards either run WPMUDEV Defender "file scan" (which should locate any bad files in your media directory), or manually search and remove all php files from your media directory.

        These types of hacks replicate hundreds of encrypted files and some even hide posts and pages from the admin user, so also review them after doing the cleanup.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.