Infected websites

I know quite a lot about cleaning infected computers. I know nothing about cleaning infected websites. How on earth do I do that?

I have a client whose website is apparently redirecting people to some other site, but it's not happening for ALL users. Here's the domain: www.teilhard (restore this space) project.com

Are any of you getting redirected to some shady site?

The first time I tried the link I was sent here:

wagon (restore this space) park.com/xhttp/go.php

an apparently empty website -- no content came up on the screen, but the url seemed to be valid, no 404 error or anything.

The second time I was sent to the correct site, but the graphics on the top of the page didn't load.

The third time the proper site opened normally, with graphics, etc.

The fourth time was like the second time -- site opened, but no graphics.

Hope this helps...

tanstaafl.

Error 521 Ray ID: 18007e1e61050785
Web server is down

Maybe hte hosting provider is working on it now?

Please don't directly link to hacked or spam site here. I've edited the above posts to break the automatic links to the intended sites.

Sorry about that.

Seems to work fine from here.

Thanks, and happy birthday!

So can anyone tell me how the problems are happening and what I can do to fix it? Is it a problem with their DNS records? And infected file? Hacked Wordpress?

I'm pretty sure Wordpress is hacked.

Whatever is doing it has some server side smarts. When you first load the page it does its spammy redirection to the wagon site (which ends up closing the page for some reason). Reload it and it just stays on the correct site.

Switch to a different IP address (I have a few to chose from) and the wagon site loads again. Reload and you are back to the right site.

Something in the Wordpress install is doing something malicious and doing its best to hide the fact that it does it the first time people visit the site.

Hopefully you can find it by just grepping the PHP code on the server for "wagonpark" or maybe "xhttp" ?

Weirdly it does a 302 temporary redirect to the wagonpark page, which serves up a single file with just this in it:

<script>history.back();</script>

This site identifies the problem:

http://evuln.com/tools/malware-scanner/http%3A%2F%2Fwww.teilhardproject.com%2F

And gives some advice on finding the redirect:

http://evuln.com/labs/fixing-guide/

Thanks so much for the help, Andy. I'll be going over that site you linked. I'm downloading all the files for the site and hopefully I'll find something. I'll start with the search terms you mentioned.

Thanks again.

Don't search for what I mentioned first, follow the advice in the page I linked. The actual site name it redirects to is almost certainly obfuscated using something like base64 encoding if it is in the PHP.

And as that page points out, it might not be in the PHP (though given its stateful behaviour, I guess that it probably is).

Thanks. Yeah mine is doing it first time with a new IP but repeated attempts just work. If locally hosted, just grep the webserver source for those references as Andy says.

Rather than downloading the site, can you just SSH (or telnet!) in and grep directly? Presuming it's running *nix.

A cookie is stored and that's how it appears to identify to redirect or not.

I get this weird one

proxy
http://localhost:59024/proxy/0/
localhost/
0
4179898496
30405299
3631976999
30405299
*

I doubt it is cookie based, I was seeing the same behaviour from the command line with wget.

Well clearing cookies and I was getting redirected once. And switching browsers also gave me another go. That's not working today but from the same IP it did redirect at least twice (in different browsers)

It's a bit weird. You'd expect it to always redirect but perhaps that's kind of the plan. Random or once daily or something so it may not be noticed by the site owner and fixed.

Anyway, grep source still.

I'd already downloaded all the files, so I searched through the root of the Wordpress installation using Notepad++, which lets me search across all open files. The only hits I got for the strings mentioned in the evuln instructions were for preg_replace() and they were the following ones that don't look bad:




I'll keep looking at the other files, but I'm not finding the things they're telling me to look for and I don't know if I can get the access you guys are talking about. This is a shared server at Network Solutions.

That looks OK.

Get the whole website and search it all at once. Don't try doing it bits at a time on files you've opened. Textpad can search folders (demo).

Have you searched for "wagon" or "park" or "wagonpark" or similar?

.htaccess?

You can't get shell access? Would just be easier than using say Notepad++. If not you should be able to just FTP the whole lot off.

Is there an old backup of the website you could do a diff against (recommend WinMerge on Windows).