Hi guys, I am looking for help tracking how a client's site has been hacked.
The site is located at kingcards.com
It gets redirected to various different fake malware sites, an invalid page on a .ru website or sometime just back to google.com. Sometimes there is no redirect at all and it works as normal. His site is first on Google for a search on "kingcards". This results in a redirect too.
I am unable to find out exactly where the redirect is and this is what is causing the frustration. I have used redirect checkers and "view as Googlebot" tools and they all render the site properly as it should.
His webhost is not being much help and using this as an excuse to sell him a VPN.
If anybody could give me any ideas on where to start looking I would be grateful.
I had a similar problem. I had a habit of not checking for updates for open source scripts. SMF and Joomla were hacked and also I believe my Wordpress was hacked last year. In one case, the main index.php file had a small piece of code added at the bottom which tested the visitor's browser and if Internet Explorer was used, it added an iframe to a site containing a trojan. I usually used Firefox or Opera, so I never saw it. One day I decided to test the site using IE7 and my antivirus alerted me to the malicious code.
What should be done is for all user files be deleted and replaced with backups that are known to be uninfected. If there was an existing vulnerability that the hacker exploited it may be exploited again. These hackers like to put in backdoors so if the malicious code is found and removed, they can regain access to the site. A fresh installation of all files is best.
@cheesedude - You have provided exact answer to this question. Hacking is such a big and growing issue on the internet. Malware is common term for malicious software and increasing difficulty over the internet. Hackers install malware by using safety weakness on servers and fast access to websites. And as you said it is not visible to human. Hackers apply it to reach viruses, hijack PCs or theft important information for example credit card numbers or other private data. So it is always better to keep our website away from hackers using anti-malware product.
Have you seen this in effect yourself, or has this only been reported by the client - if it's only the client, then it may be a localized malware infection rather than the site being hacked.
Repeat: Have your host run a full "maldet scan" and see what it reports.