My sites forward to a Hydra Onion page (When using curl)

  • Hi,

    Recently I was told by people trying to post my site on slack that they were getting Russian text about a Hydra Onion site.

    When I test with any browser or wget, my site works as intended, but when I use curl, I get the Russian text:

    curl https://anset.org

    <html>
    <head>
        <title>HYDRA ZERKALO ONION SITE</title>
        <meta name="keywords" content="HYDRA ZERKALO ONION SITE?Гидра нарко, Гидра магазин, гидра клады,Гидра сайт,Гидра ссылка,сайт гидра,бот авто продаж, Hydra сайт, Hydra ссылка, HYDRA2WEB, как купить на гидре,Зайти с телефона на гидру,Купить мефедрон">
        <meta name="description" content="HYDRA ZERKALO ONION SITE!!! Как попасть на сайт! Актуальные линки-ссылки! Как зайти на сайт гидра с телефона? Ссылки на сайт в онион тор и с телефона! Рабочее зеркало сайта и маркета! ">
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
    </head>
    <body>
        <div>Гидра сайт автопродаж<p>&nbsp;</p>Гидра онион<p>&nbsp;</p>Гидра с телефона<p>&nbsp;</p>
....

    I’ve disabled all plugins but that did not change anything. I’m on version 5.8.1 Whoc is the latest according to the admin console.

    This is a multisite deloyment and all my wordpress sites suffer from this. My other non-wordpress sites that are server by the same apache server are not affected.

    I tested with tcpdump but I see no outgoing traffic, so the russian page seems to be served from my server. However, I cannot find where it is, or what is causing the page to be served instead of the wordpress page.

    I’ve searched the internet and this forum but could not find anything and now I am stuck.

    Does anybody have an idea on how I could try to investigate this further?

    Thanks for any tips and hints!

    Wkr,

    Jhon

    • This topic was modified 3 years, 5 months ago by Yui.
    • This topic was modified 3 years, 5 months ago by Yui. Reason: formatting

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Are there any redirects set in your .htaccess file?

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    There is no redirect, so you have one or more rogue files on your site. Do the procedure to remove *all* files other than your uploads and wp-config.php and re-upload WordPress, themes, and plugins with files from a known, clean source.

    $ curl -v https://anset.org/index.php
*   Trying 94.142.244.56:443...
* Connected to anset.org (94.142.244.56) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=wordpress.anset.org
*  start date: Aug 11 00:07:19 2021 GMT
*  expire date: Nov  9 00:07:17 2021 GMT
*  subjectAltName: host "anset.org" matched cert's "anset.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /index.php HTTP/1.1
> Host: anset.org
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 19 Sep 2021 15:26:40 GMT
< Server: Apache
< Set-Cookie: _subid=2j2lvk89a1fv; expires=Mon, 20-Sep-2021 15:26:41 GMT; Max-Age=86400; path=/
< Set-Cookie: 3c47f=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjM5OFwiOjE2MzIwNjUyMDF9LFwiY2FtcGFpZ25zXCI6e1wiMTAwXCI6MTYzMjA2NTIwMX0sXCJ0aW1lXCI6MTYzMjA2NTIwMX0ifQ.C5KvhiOCoDQ6CIQDXZVCu7fsAmOHMW54YlHc_Dvt-Ow; expires=Mon, 20-Sep-2021 15:26:41 GMT; Max-Age=86400; path=/
< Transfer-Encoding: chunked
< Content-Type: text/html;charset=UTF-8
< 
<html>
    <head>
        <title>HYDRA ZERKALO ONION SITE</title>
    Thread Starter jhonm

    (@jhonm)

    Yea,

    I was afraid of that. I was hoping that maybe someone ran into this already and could point out the nasty files. ??

    I’m pretty sure this came with a plugin, even though I only use supported plugins that have a large following… ??

    Thanks for taking a look!

    Jhon

    Thread Starter jhonm

    (@jhonm)

    SOLVED

    Closing the loop:

    I was able to fix this using the “reinstall WordPress” option in the update section of the admin portal for my network installation.

    After the reinstall, the Russian forward is gone. ??

    • This reply was modified 3 years, 5 months ago by jhonm.

    Hi @jhonm
    I have the exact same problem with my site, but reinstalling wordpress like you did didn’t help me, at least not yet (did this three days ago). Did it work immediately for you, or did you have to wait for Google to index your site again?

    Thanks in advance for any help!

    Thread Starter jhonm

    (@jhonm)

    Hey,

    Yep, reinstalling it (Using the WordPress admin UI) worked instantly because it removed some malware that was installed. I am using a multi site deployment but that should not make a difference I think.

    However, after a couple of days the problem reoccurred because there was another piece of malware that I had not found yet offering a full web shell to the hackers, allowing them to reinstall the feed overwrite.

    Since then I have located the webshell malware, removed it and my site has ben “good” ever since. (I never was able to find the exact spot where the rss feed got corrupted. Since reinstalling WordPress solved that issue, I did not need to find that.)

    To find it, I looked through the apache log file for the WordPress site to find “weird” filenames that were accessed and I found a file called “ltooju.php” in the web root. The filename does look like it is auto generated and randomized though, but take a look at your web root for any weird names.

    Wkr,

    Jhon

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    @litjfoxn Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘My sites forward to a Hydra Onion page (When using curl)’ is closed to new replies.