WordPress Site Redirecting Sometimes to Hijacked Page
-
@MattSpeller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
Gah, the dreaded random event diagnostic! I take it that the random redirect happens to everyone? Is it a site some other people could look at and reload just to see when/if it happens to them?
Nope, not to everyone. I went to the site via IP address first and so the redirect seems to never happen to me from my Linux laptop, regardless of browser. But my Linux terminal server sees the redirect.
That's pretty interesting all on it's own. Cool problem
Yeah, when you're not the one that has to fix it!
-
@MattSpeller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
Gah, the dreaded random event diagnostic! I take it that the random redirect happens to everyone? Is it a site some other people could look at and reload just to see when/if it happens to them?
Nope, not to everyone. I went to the site via IP address first and so the redirect seems to never happen to me from my Linux laptop, regardless of browser. But my Linux terminal server sees the redirect.
That's pretty interesting all on it's own. Cool problem
LOL, yeah. VERY hard for me to confirm when things are broken or fixed. And at one point it acted fixed for everyone, so they all thought that it got fixed after I did tons of updates and cleanup.
-
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
-
And the previous company won't even respond.
-
Did you browse /var/www/html for random stuff??
If it is local, it is probably there.
Forget about WordPress piece for a minute.
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
Did you browse /var/www/html for random stuff??
If it is local, it is probably there.
Forget about WordPress piece for a minute.
There is only the wordpress folder in there and I've looked through it a bit.
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
Well, that's gonna be fun to find
-
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@travisdh1 said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller assuming this is running on Apache can you not find anything in the logs when the pages getting referred
Sorry should have mentioned that. We did a live "make it happen" even while staring at the logs. Not one redirect to an outside source. From what we can tell, it is somehow being served off of the server using standard page names. But we can't figure out how.
Oh I've seen that before, it's just a folder with the shit ton a random names HTML an image files. I've never seen it via word press only older websites with the cPanel vulnerabilities.
Sounds very much like a code injection we had years back, yep.
Yeah, I'm worried that it is in the database somewhere. That would suck big time.
At the moment I'm attempting the generation of a static site to have something while the dynamic one is being worked on.
Have you restored a backup from before it started happening yet? We found ours by using a diff across all the files for the website comparing the live one to an old version. Doubt that'll work if it's in the database tho, at least not the same way.
We just took over as their IT.... no backups, no original files, nothing.
Well, that's gonna be fun to find
Welcome to my personal hell.
-
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
It only loads the same page names that are correct for me. Can't find any bad page name. And it is only one page, every link on the bad page points to the main site.
-
This is going to take a while...
-
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
It only loads the same page names that are correct for me. Can't find any bad page name. And it is only one page, every link on the bad page points to the main site.
The bad page does not have any images or anything else that you could get the file names of their local resources to try and find?
-
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller said in WordPress Site Redirecting Sometimes to Hijacked Page:
@JaredBusch said in WordPress Site Redirecting Sometimes to Hijacked Page:
@scottalanmiller have you had somebody go to the site get the bad page grab the file name of one of the files it's loading and then grep it ?
It only loads the same page names that are correct for me. Can't find any bad page name. And it is only one page, every link on the bad page points to the main site.
The bad page does not have any images or anything else that you could get the file names of their local resources to try and find?
No images, all image links point back to the URL of the site we are on. Can't find any resource on it. Nothing but text loads, and it only comes up when you go to the default page.
-
@scottalanmiller back it up nuke it from orbit, install clean. Install the back up on some temporary service and copy paste the text and shit over
