Categories: Malware & hacked sites :

Website redirect to : "http://www6.uiopqw.jkub.com/"

Showing 1-8 of 8 messages
Website redirect to : "http://www6.uiopqw.jkub.com/" kpierreh 8/8/12 8:09 AM
Hi. 

I am currently having a serious issues with few of my websites. Appreciate if any of the expert can help. 

My website if I search the keyword from google and click on the organic search result, it will link to this page : http://www6.uiopqw.jkub.com/

**If I key in the url directly in browser, it works perfectly.

I have contacted my hosting provider but was told they cant help and instead ask me to contact webmaster.. 

Appreciate if anybody can assist me on this.

Thanks !!

Re: Website redirect to : "http://www6.uiopqw.jkub.com/" Redleg x3 8/8/12 8:19 AM
The redirect to www6 . uiopqw . jkub . com   is typically done with a bit of obfuscated php code, the line of code will start out

eval(base64_decode(\"DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGx

The string of seemingly random characters will be pretty long.  You will need to search through your php files for a line of code like that and remove it.
Re: Website redirect to : "http://www6.uiopqw.jkub.com/" dr.raj 8/9/12 3:37 AM
Once the code is removed, how long before the site no longer redirects? Is there anything that can be done to speed up the process?
Re: Website redirect to : "http://www6.uiopqw.jkub.com/" Redleg x3 8/9/12 4:34 AM
Once the code is removed the redirect should stop immediately.  If pages are still redirecting then there are additional blocks of codes somewhere on the site.
Re: Website redirect to : "http://www6.uiopqw.jkub.com/" bloggga 8/9/12 9:04 AM
same problem here but only occurs in my wordpress blogs. i removed all eval code from php files and there is no malicious code in the htacess file. however google is still redirecting to scam url after 24 hours of clean. what can be ? some kind of attack related to DNS ? anybody know how to fix it ?

help will be really appreciated.

thanks.
Re: Website redirect to : "http://www6.uiopqw.jkub.com/" Redleg x3 8/9/12 9:44 AM
There is a listing for a simple script at 

http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html

There are instructions on how to install the script on your site and use it in the post.  Suggest you give it a try and see if it turns up anything.
Re: Website redirect to : "http://www6.uiopqw.jkub.com/" bloggga 8/9/12 12:44 PM
Hi there , thank you very much for your help. I ran the script and i found more places where the malicious eval code was inserted. my first replace didn't saw some of the places. i asked the hosting company to remove all the code from all php files as root and that fixed the problem immediately.

i am now thinking on something to detect this problem, this looks good http://25yearsofprogramming.com/php/findmaliciouscode.htm but need root rights i think.

thank you again :)

 
Re: Website redirect to : "http://www6.uiopqw.jkub.com/" Redleg x3 8/9/12 12:48 PM
The script from 25 Years is a really good tool and you should be able to run it without root rights,  I would certainly give it a try.