Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#362796 - 27/10/2014 14:03 Infected websites
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12343
Loc: Sterling, VA
I know quite a lot about cleaning infected computers. I know nothing about cleaning infected websites. How on earth do I do that?

I have a client whose website is apparently redirecting people to some other site, but it's not happening for ALL users. Here's the domain: www.teilhard (restore this space) project.com

Are any of you getting redirected to some shady site?


Edited by drakino (27/10/2014 15:20)
Edit Reason: Removed link to infected website to avoid bbs being marked as infected.
_________________________
Matt

Top
#362797 - 27/10/2014 14:13 Re: Infected websites [Re: Dignan]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
Originally Posted By: Dignan
Are any of you getting redirected to some shady site?


The first time I tried the link I was sent here:

wagon (restore this space) park.com/xhttp/go.php

an apparently empty website -- no content came up on the screen, but the url seemed to be valid, no 404 error or anything.

The second time I was sent to the correct site, but the graphics on the top of the page didn't load.

The third time the proper site opened normally, with graphics, etc.

The fourth time was like the second time -- site opened, but no graphics.

Hope this helps...

tanstaafl.


Edited by drakino (27/10/2014 15:21)
Edit Reason: Removed link to possible spam site
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#362798 - 27/10/2014 15:09 Re: Infected websites [Re: Dignan]
Phoenix42
veteran

Registered: 21/03/2002
Posts: 1424
Loc: MA but Irish born
Error 521 Ray ID: 18007e1e61050785
Web server is down

Maybe hte hosting provider is working on it now?

Top
#362799 - 27/10/2014 15:22 Re: Infected websites [Re: Dignan]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Please don't directly link to hacked or spam site here. I've edited the above posts to break the automatic links to the intended sites.

Top
#362800 - 27/10/2014 15:54 Re: Infected websites [Re: Dignan]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12343
Loc: Sterling, VA
Sorry about that.
_________________________
Matt

Top
#362809 - 28/10/2014 07:38 Re: Infected websites [Re: Dignan]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Seems to work fine from here.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#362811 - 28/10/2014 09:01 Re: Infected websites [Re: Shonky]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12343
Loc: Sterling, VA
Originally Posted By: Shonky
Seems to work fine from here.

Thanks, and happy birthday!

So can anyone tell me how the problems are happening and what I can do to fix it? Is it a problem with their DNS records? And infected file? Hacked Wordpress?
_________________________
Matt

Top
#362812 - 28/10/2014 09:58 Re: Infected websites [Re: Dignan]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
I'm pretty sure Wordpress is hacked.

Whatever is doing it has some server side smarts. When you first load the page it does its spammy redirection to the wagon site (which ends up closing the page for some reason). Reload it and it just stays on the correct site.

Switch to a different IP address (I have a few to chose from) and the wagon site loads again. Reload and you are back to the right site.

Something in the Wordpress install is doing something malicious and doing its best to hide the fact that it does it the first time people visit the site.
_________________________
Remind me to change my signature to something more interesting someday

Top
#362813 - 28/10/2014 10:02 Re: Infected websites [Re: andy]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Hopefully you can find it by just grepping the PHP code on the server for "wagonpark" or maybe "xhttp" ?

Weirdly it does a 302 temporary redirect to the wagonpark page, which serves up a single file with just this in it:

<script>history.back();</script>
_________________________
Remind me to change my signature to something more interesting someday

Top
#362814 - 28/10/2014 10:09 Re: Infected websites [Re: andy]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
This site identifies the problem:

http://evuln.com/tools/malware-scanner/http%3A%2F%2Fwww.teilhardproject.com%2F

And gives some advice on finding the redirect:

http://evuln.com/labs/fixing-guide/
_________________________
Remind me to change my signature to something more interesting someday

Top
#362815 - 28/10/2014 10:50 Re: Infected websites [Re: Dignan]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12343
Loc: Sterling, VA
Thanks so much for the help, Andy. I'll be going over that site you linked. I'm downloading all the files for the site and hopefully I'll find something. I'll start with the search terms you mentioned.

Thanks again.
_________________________
Matt

Top
#362816 - 28/10/2014 11:23 Re: Infected websites [Re: Dignan]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Don't search for what I mentioned first, follow the advice in the page I linked. The actual site name it redirects to is almost certainly obfuscated using something like base64 encoding if it is in the PHP.

And as that page points out, it might not be in the PHP (though given its stateful behaviour, I guess that it probably is).


Edited by andy (28/10/2014 11:25)
_________________________
Remind me to change my signature to something more interesting someday

Top
#362817 - 28/10/2014 11:28 Re: Infected websites [Re: Dignan]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Originally Posted By: Dignan
Originally Posted By: Shonky
Seems to work fine from here.

Thanks, and happy birthday!

So can anyone tell me how the problems are happening and what I can do to fix it? Is it a problem with their DNS records? And infected file? Hacked Wordpress?

Thanks. Yeah mine is doing it first time with a new IP but repeated attempts just work. If locally hosted, just grep the webserver source for those references as Andy says.

Rather than downloading the site, can you just SSH (or telnet!) in and grep directly? Presuming it's running *nix.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#362818 - 28/10/2014 11:34 Re: Infected websites [Re: Dignan]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
A cookie is stored and that's how it appears to identify to redirect or not.

I get this weird one

proxy
http://localhost:59024/proxy/0/
localhost/
0
4179898496
30405299
3631976999
30405299
*
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#362820 - 28/10/2014 14:01 Re: Infected websites [Re: Shonky]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
I doubt it is cookie based, I was seeing the same behaviour from the command line with wget.
_________________________
Remind me to change my signature to something more interesting someday

Top
#362822 - 28/10/2014 20:27 Re: Infected websites [Re: Dignan]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Well clearing cookies and I was getting redirected once. And switching browsers also gave me another go. That's not working today but from the same IP it did redirect at least twice (in different browsers)

It's a bit weird. You'd expect it to always redirect but perhaps that's kind of the plan. Random or once daily or something so it may not be noticed by the site owner and fixed.

Anyway, grep source still.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#362828 - 28/10/2014 23:38 Re: Infected websites [Re: Dignan]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12343
Loc: Sterling, VA
I'd already downloaded all the files, so I searched through the root of the Wordpress installation using Notepad++, which lets me search across all open files. The only hits I got for the strings mentioned in the evuln instructions were for preg_replace() and they were the following ones that don't look bad:

Quote:
Line 759: $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to);

Quote:
Line 105: echo '<input name="blogname" type="text" id="blogname" value="'.esc_attr($blogname).'" maxlength="60" /><span class="suffix_address">.' . ( $site_domain = preg_replace( '|^www\.|', '', $current_site->domain ) ) . '</span><br />';
Line 683: $newblogname = isset($_GET['new']) ? strtolower(preg_replace('/^-|-$|[^-a-zA-Z0-9]/', '', $_GET['new'])) : null;


I'll keep looking at the other files, but I'm not finding the things they're telling me to look for and I don't know if I can get the access you guys are talking about. This is a shared server at Network Solutions.


Edited by Dignan (28/10/2014 23:39)
_________________________
Matt

Top
#362833 - 29/10/2014 11:03 Re: Infected websites [Re: Dignan]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
That looks OK.

Get the whole website and search it all at once. Don't try doing it bits at a time on files you've opened. Textpad can search folders (demo).

Have you searched for "wagon" or "park" or "wagonpark" or similar?

.htaccess?

You can't get shell access? Would just be easier than using say Notepad++. If not you should be able to just FTP the whole lot off.

Is there an old backup of the website you could do a diff against (recommend WinMerge on Windows).
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top