1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Hidden conditional redirect

Discussion in 'Security' started by averyz, May 22, 2014.

0
  1. #1
    I took over a Wordpress website for a client that had a hidden conditional redirect placed on it. So that all search engine listings get redirected to a spam site. I did the standard and looked in the htaccess, index.php and scanned the the SQL database for and redirect codes and came up with nothing.

    A big problem is the client has some very bad hosting/Dreamhost, on the regular ftp the htaccess doesn’t even show up, I have to use the “Webftp” to get to it and the search tool dosn't work to look for other htaccess files that might be hidden in the site.

    So I am wondering-
    -Is it a possibility that other htaccess files are on the host that I cannot see client side ?

    - Is it a possibility that DNS files can be infected with the redirect that I cannot get to client side ?

    -And how many places can a redirect be hidden ? Can it be hidden in javascript ? Cloaked in a non readable code ?

    When clients show up with bad hosting I have them deal with all hosting problems and recommend good hosting. I told the client to contact Dreamhost and ask them to look at ALL htaccess files and DNS files 4 days no reply(as usual Dreamhost sucks)
     
    Solved! View solution.
    averyz, May 22, 2014 IP
  2. #2
    Hello,
    First, the FTP client that doesn't see the .htaccess file is probably hiding it because files that begin with a dot (.) are SUPPOSED to be hidden. There is likely an option that you can set in the FTP client to show "hidden" files that begin with the dot.

    As for the redirect, I doubt that there is another .htaccess file causing this. It is likely that the Wordpress install was hacked and code has been added to the files themselves or to the database. Do you have SSH access for this account? Sometimes, it is easy to find by listing files by modified date. Look in the wp-content, includes, and themes directories in particular. The code may use the PHP function eval() or base64_decode()to hide itself but will usually appear at the top or bottom of the infected files.
     
    Tier_net, May 28, 2014 IP
    averyz likes this.
  3. averyz

    averyz Well-Known Member

    Messages:
    1,228
    Likes Received:
    167
    Best Answers:
    2
    Trophy Points:
    115
    #3
    Thanks Tier_net - You nailed.

    It was a PHP function eval(base64_decode in a bunch of wp-content/plugins/- files
     
    averyz, May 29, 2014 IP