An issue was brought to me involving malware on a WP environment. When I search the brand in Google and click the corresponding link, I'm redirected to a 3rd party spam site.
This has been happening for a while (over a week), but my site hasn't been put on Google's blacklist. Additionally, site scanners like , Norton Safeweb, etc. all claim the site isn't compromised.
Additional details:
I found and deleted some suspicious PHP eval() functions and then did a search and replace in my pages and database for any remaining code. After the site cleared into un-blacklisted status with Google I thought it was all over, ran updates and took numerous measures to protect the site from future infection.
However the issue still persists.
Were the nameservers ever changed by the malware or attackers? Google could have the wrong DNS information for your domain and thinks its hosted at said spam site? Resubmit your site to Google or report the issue to them to resolve (may also be resolved automatically next time Google tries to crawl your domain)?
It is a strange issue I have not seen before either, have you looked at your .htaccess file in the root directory? It is also possible that this has a rewrite condition that if the referrer is Google to redirect you to the spam site.
Solved this issue. At the time when this happened, this redirect attack was fairly new.
HTTP requests from visitors who passed referrer data from Google Search or Bing were being redirected, some of the time.
By targeting only those coming in from search, the webmaster or site owner is less likely to see the issue (until informed by a third party), while still manipulating a decent amount of the traffic (50% of traffic for most sites comes from search engines).
When I originally posted this question in 2012, this attack was new and because the redirect was being served server-side (directly in a lone PHP file, not via .htaccess), malware signatures from scanners didn't detect this.
Running Maldetect (with an updated database) was the best way to quarantine this issue and analyze the extent of the damage caused by malware.
This issue seems due to wp-vcd Malware that creates rogue WordPress admin users and injected spam links. I faced the similar issue and it got resolved after following these steps.
The files you should check for and delete:
wp-feed.php
wp-vcd.php
wp-tmp.php
Multiple copies of class.theme-modules.php, and
remove a bunch of code from the start of all the functions.php files.
For details you can find on this issue at following links...
https://wordpress.org/support/topic/wp-feed-php/
http://labs.sucuri.net/?note=2017-11-13
http://labs.sucuri.net/?note=2017-11-13
Related
I'm a real newbie in this world.
I just recovered from a serious attack, and I'm trying do things right at this time.
recently I made a quick Google search for my site and I found this page:
https://www.neocsatblog.info/CNC-Metalworking-&-Manufacturing-%C3%98-mm-for-Marble-Granite-Ceramic-Tile-312652-Woodworking-Supplies/
The problem is, my main site is a simple blog, so I do not sell anything, and obviously this link loads a completely different site from mine.
And this not the only suspicious site, which has link with my own domain while my main sites and pages loads on as usual.
Cloudflare shows many different links on firewall the request come from Russian federation, the strange thing is the other links what they trying to reach working to (Meanwhile I block all request from Russia, Singapore).
I don't understand this. I don't have this sites, on my ftp server, I don't have this site on my database.
Also I asked my hosting provider about this incident, they said my domain is registered and completely fine.
I'm using WordPress.
What's the next step?
How to remove this site from my domain?
I really would like to close all the backdoors.
Based on my inspections, I found the malware, which php code is this:
https://app.codingrooms.com/w/YgaXOdAllXsp
Its around 3000 lines, so I rather not paste in here, but you can view on the link.
Based on the code, do I need search more files on my ftp?
The website is a wordpress site and it was been attacked by xss attack. Ive already installed wordfence and malcare to scan and remove the malicious code and files. but still the google search results are show spam links under the main result. I most of the pages direct to 404 webpages and i was told the google bot will remove it automatically but the issue still remains after 4 days. if any expert regarding this have any solutions and advice i would much appreciate.
You can try resubmitting you sitemap to Google in the Search Console.
Otherwise, similiarly try using the Google Removals tool to temporarily these links, hopefully the will be cleared from the search results by the the time the links are restored.
Tutorial: https://support.google.com/webmasters/answer/9689846?hl=en
The App:
I am running a WordPress WooCommerce website and did some modifications.
Users arrive at a page called /configurator/ where they get asked different questions. After answering all questions I lead the users to a page /summary/ .
On this /summary/ page an individual result is presented to the user based on their answers in the /configurator/. Also I create a cookie on /configurator/ with all answers.
I use the cookie also on /cart/ and /checkout/ to add individual information to the product we sell to the user.
The Problem:
When we went live with the website we turned on "production mode" for our website at the admin panel of our hoster. It basically turns on the CDN and enables caching.
Unfortunately users experienced problems on /summary/. It seemed that the page couldn't be loaded.
My analysis:
I think the hoster caches /summary/ and breaks my site. Following this article it makes sense that the site doesn't work any more: https://docs.woocommerce.com/document/configuring-caching-plugins/
„These pages need to stay dynamic since they display information specific to the current customer.“
What the hoster says:
The hoster says they cannot exclude any subpages from being cached: "The problem was caused by coding errors in combination with the cookies that we create on /summary/"
Current Status:
I need to leave the site in development mode (without CDN and cache) which is very slow. Based on what the hoster says I can't turn on production mode because it will probably break the site again and we lose a lot of money. Currently I cant reproduce the error on a cloned version of the site :(
You should rewrite your code and instead of using cookies use WC Sessions. Every customer has a session that already works and persists throughout the whole site, just set your data in it and use it at all pages you need.
I recently opened up my google analytics and looked at the behavior panel all pages in depth for the first time and I noticed some strange pages such as:
/amobee/a3d-ad-loader.html?a3dWebglBanner=https://cdn-production.amobee3d.com/__integration__/9cbea9d/a3d-webgl-banner.js&adName=canon_sp&bucket=cdn-production.amobee3d.com&creativeId=phone&tpt={"tpt-click":"http://r.turn.com/r/tpclick/urlid/14BFxPtiFHxrmUcNdR4QHN-0x-Yel1rNyX3oaT1U1nk4Xtdr-WJQO1XlpD1d2cgzm_yn98_nqu0l-H7-6TDbnFAVUaa81rE5Va5TPoJV_1Ntn4-ZNPeiesLCUWGi5Q0pMIlxWeHujtiWU4hIRmxZhGDbLcisF5vf52pYjnxx7sgLDq60qaLSM9lSDH_P7r3m2LfHLNhuhT3pi82fEsIKY-zMcLaIqUa9FRu7ru1ABYiMCtsmIp-lbv-0tHQ0QtXb2XvAslSEVQju5WCkGeXtYPPWcOXdh4wRx2g-XrBQLJqyt0vA7eW1L6lLODoYREs9OBPuTEypwnf63U3p8t5FBYUJmQbyMz4eKCUfVCW3oZA8XwQsSlpxKWOwnR4ICWD6Hv0vAV2VuhJR0Xs53RIHS3H9Tz63br3HTEa4ZY_kKFET9A_ftQbvMsRO4u41FP6SKbtlYbh9rP6ujKbOzAN8TRFll4D4qUWscfwlVaUN_u2u5E4Vy42t_bSnl21XJcaYEQEFVUTsKZNXtOXj9z5KcYao4xmdD4GUUWyryckAdVyWahvx4V_d16JvQHawx4X3ioQH0_wNdsrb3RVATpziopDFpbZaBPUHiKLZ-bIyufGmXpZmxg-3vX-zu1vvsZPbJNqcc9li1Ympbj3ShiZ1AiIxqUrWzljp1f1In7Z8Im-yg3_KM0J57D8-gUsHIZ-oX3ZGD89yOo93M3XBqtzuW2Hsic-itJBXhnJzspzQ4UqNbGQz9oR24Gk94As9pRznxJBPBDq4ETbqpQBtH7BoKHQ/3c/https://adclick.g.doubleclick.net/aclk?sa=l&ai=C4Uxke2G6WaDwNofbpAOzu7eoBf7D7ZRGiM-B9pQBwI23ARABIABgyabejOCk0BSCARdjYS1wdWItODQ0NTQ5NjI3NTYxOTU2N6ABjPe59APIAQmoAwGqBHxP0Hg-A8VrFKLhd4VPGK02nOSLdJlNn7XiRxtz6uzu19NuxGmz5enbVlB2iirq6fTo1Hjk0ggr3O7qFuCqnbrLdm_fi-5tala6iCF3bFK5yG40vufVOofQQ-0YefypkSbFeGdRzK6ke5XOGaI8UaVEAoiTfHwrtnGA6nyzgAbd2MidmYzBhAygBiGoB6a-G9gHANIIBQiAARAB&num=1&sig=AOD64_06gu58j3wZF6kAoqQM6TYyaPYIBQ&client=REMOVED&adurl=/url/"}
/flashtalking/ftlocal.html?ifsrc=https://cdn.flashtalking.com/xre/271/2711110/1979640/js/j-2711110-1979640.js&ftx=&fty=&ftadz=&ftscw=&ft_custom=&ftOBA=1&ft_ifb=1&ft_domain=REMOVEDft_agentEnv=0&ft_referrer=REMOVED&cachebuster=750934.4320502493&click=https://googleads.g.doubleclick.net/dbm/clk?sa=L&ai=Ce9A4rOjBWbK7BMnWkgP6w6nwB4GMv7JMitPArpwG-7idztoIEAEg0JjELWDJ5v6GgICgGcgBCagDAaoEuAFP0IwsQBfm1IhnAEcv-Kxde6xOfh27RXolPw6jRU8iIA8UyhMCIzdPsjzlztPIEk-d6gwfr438fNB4ptnk2O2-NRq8iKLUF9M4vcKS2aV9IoNcN3v5gcOhtR8Woojv_R8C-z6cDbensRSTTYYVM9RS8OIGbiXrVvsrHcU7kb8vlmMS0EIKD_5NwhCenv4gRE9-_U1Q1r05lJPI1RAJ1m2m_LPSflL_nb5m8BpwYhfJFdBGanLwgh7LwASLsqq1rgHgBAOIBd3Zs7sDkAYBoAZN2AYCgAefycxeqAemvhvYBwCgCP-hpwSwCALSCAcIgGEQARgCyBPg1p0C0BMA2BMDghQTGhF3d3cudm9sdW1lYm90LmNvbQ&num=1&cid=CAASEuRoTBJWebFR9Y_pZL7ze3vdCg&sig=AOD64_2PqRgxPypUSzjJHrRA4kFBwKQPZQ&client=REMOVED&dbm_c=AKAmf-BdHzMrPFTxYQj06utKwilI6E9GHRDztBNwp4NEhB2BuaayZ6JG_BcT226zfnDtdwABfZhe&dbm_d=AKAmf-BWr8_Qqd0y7BMDQPUfEaK5z_iR3KXo8wstJkrl5wytBRYlArCAOqS_TR4m5kPBDNYQmT520pL98pRp6u4h6seeuW53gXANeGvEaPqByEZTbKzlzs7zvX_HqjcevAzg0oDNVrcKyt6jc0SRG5LJGM-YrbtMWCm0-ceIau7y4qp_WK-X5-c&adurl=&ftimpid=35502EEB8067F1&ft_id=&ftcustom=&ftsection=&fttime=1505880237&ftcfid=6825920&ftguid=3165AF587F7584
I removed the client value and some other fields and replaced with REMOVED for anonymity purposes but I was wondering if anyone can tell me if it's malware.
I have a site that uses wordpress in the cloud and I have scanned with wordfence saying that my site is clean.
Was wondering if I should look deeper, or if this behavioral page is normal.
Amobee and Flashtalking are both advertising platforms, so it looks somebody has configured advertising tags incorrectly. Probably those clicks should be routed through the respective platforms (e.g. to record data for bid management or something like that) and instead they go directly to your page with redirect Urls appended. If you do paid advertising then you should check with the people who configured this for you.
Two days ago we posted a new blog on a site with the aim of being picked up for the search term "live comedy in chippenham". It’s been indexed by Google and we’re now 2nd in the results for the search query. The bad news is that for some reason the post has been indexed as a https URL so all browsers give a warning when the link is clicked.
Firefox gives this error:
The owner of www.neeld.co.uk has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
The host has confirmed that it's not a server config error and we have other posts and pages on the site that are being indexed correctly. We're using WordPress and the Yoast plugin. I can't see anywhere in Webmaster Tools that could be causing the problem.
Can anyone offer any advice please? If you search Google for "live comedy in chippenham" you'll see the issue (it's the link https://www.neeld.co.uk/live-comedy-in-chippenham/)?
It's a really strange one but something I've experienced before.
It has mostly likely been caused by an external link to the page using https protocol which Google has followed before indexing the page. Google are very keen to index https pages at the moment so we might start seeing this kind of issue more often.
There's not a lot you can do other than wait for Google to realise their mistake and list the correct URL in the SERPS. You can help speed this along with a canonical link (which I can see is there), XML sitemap (which you've got) and a server level redirect of https to http.
Do not try to remove the page in Webmaster Tools as this won't have the desired effect and will stop Google reindexing the page properly.
Hope this helps.