www redirections

[klogier]

Uff I found that, what now?

[!Donovan]

Do you know your hosting provider? Can you access your site's cpanel?

If so, open the file manager and check "show hidden files". Then look for a .htaccess file in the root directory and post its content.

[klogier]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

[!Donovan]

What sites are you being redirected on?

~!Donovan

[klogier]

c.mclarenz.net/click
notfound.lflink.com

but not always, also sometimes avast gives me a warning and blocks access.

[!Donovan]

I think you misunderstood me.

What sites redirect you to c.mclarenz.net/click and notfound.lflink.com? Is it random?

~!Donovan

[polonus]

Hi !Donovan,

If this isn't a DealPly infection, the following procedure may help.
There is no  BrowserCompanion folder found?
Does user use two resident av solutions? This could also have caused this.

I think victim's host file has been hijacked. He could download: http://winhelp2002.mvps.org/hosts.zip
For Windows XP
Click mvps.bat and choose “run” to start up mvps.bat  (*).
Press a key to continue.
A backup is being made from the existing HOSTS-file from the standard location C:\windows\system32\drivers\named HOSTS.MVP
Than the file is being changed to the actual MVPS Hosts-version..

(*) Both Windows Vista & Windows 7 users should right click mvps.bat and choose ”run as administrator” to start mvps.bat.

polonus

[klogier]

Hi !Donovan
After steps  recommended by essexboy and by my own (comboFix) there isn't any redirections, but...
I am afraid that this infection came from my own page (targetservice.pl). Probably you ask why.
Two weeks ago HDD in this computer has been replaced becuase of bad sectors. But from about 3 months before there was a lot of problem with viruses. To resolve this one time the Vista was installed on formated partition. Two weeks ago on new HDD. Only emails (oulootk.pst) and documents/music/movies was restored from old drive. Before that I scanned these files by avast on another computer, there isn any infections. Few days after HDD has been replaced I noticed redirections when I am tried to go to my site.


Hi polonus (dobrze spotkać rodaka)
There is only one av installed on this computer

[polonus]

Cześć klogier,

Dostałem 
Header returned by request for: htxp://targetservice.pl

HTTP/1.1 302 Moved Temporarily
Date: Fri, 01 Mar 2013 14:56:30 GMT
Server: Apache
Location: htxp://fpert.qpoe.com/    Sprawdź: http://urlquery.net/queued.php?id=15956074 (Detected a Dynamic DNS URL)
Site empty (no content -zadnych): Content-Length: 0 zera -Sprawdź:    http://urlquery.net/report.php?id=1134410
The connection timed out before all (any?) content was returned! (Bounch-back)...

Header goes to: htxp://fpert.qpoe.com/%20%20
HTTP/1.1 404 Not Found  IP =31.148.220.14
Get info: The requested URL /   was not found on this server.</p>
<hr>
<address>Apache/2.2.16 (Debian) Server at 0.0.0.53 Port 80</address>
</body></html> -> htxp://host.robtex.com/fpert.qpoe.com.html js-error DocLinks is undefined...


Date: Fri, 01 Mar 2013 17:15:11 GMT
Server: Apache/2.2.16 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

Get info: The requested URL /   was not found on this server.</p>
<hr>
<address>Apache/2.2.16 (Debian) Server at 0.0.0.53 Port 80</address>
</body></html> htxp://host.robtex.com/fpert.qpoe.com.html js-error DocLinks is undefined...

Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

Content returned by request for: htxp://targetservice.pl
Re: http://urlquery.net/report.php?id=1199928
See some broken links.
Oto linki: 8.     htxp://targetservice.pl/comments/feed/     (404) BROKEN Strona nie została odnaleziona = The page you requested does not exist.
15.     htxp://fonts.googleapis.com/css?family=DroidSans     (400) BROKEN code, does not function on Android
your font-family should be the same as those you declared in the css  Prosimy sprawdzić poprawność adresu lub spróbować za jakiś czas ponownie.
Re: http://jsunpack.jeek.org/?report=9b112efd813682a57f1765ae3e40b15ff5459cb4  ( pokazujący błąd 404)
17.     #     (404) BROKEN
34.     #     (404) BROKEN
43.     #     (404) BROKEN
44.    #    (404) BROKEN

pozdrawiam.

polonus

[klogier]

polonus a co to dla mnie oznacza? Nie za bardzo się na tym znam.

[polonus]

Witam klogier,

Ta sprawe chce zgłosic do hostera! Sprawa serwera, taka tam zabawa!
Co mogę samemu zrobić? Można zrobić  to ->: http://evuln.com/labs/fpert.qpoe.com/
i dalej: http://evuln.com/hacked/redirect.html  (info link author = Alex (Aliaksandr Hartsuyeu penetration tester))

pozdrawiam,

polonus

[polonus]

Hi !Donovan,

Here we have the verdict: http://evuln.com/tools/malware-scanner/targetservice.pl/
Malicious redirects
    Found

Visitors from search engines are redirected to the 3rd-party URL:
htxp://fpert.qpoe.com/ (1993 websites infected)

The website "targetservice dot pl" is most probably hacked and losing its visitors. You need to take action as soon as possible to fix security issues.

Google Safe Browsing
Query: http://www.google.com/safebrowsing/diagnostic?site=targetservice.pl

Result: This site is not currently listed as suspicious.
Redirection of visitors coming from search engines
First query - normal visit.
GET / HTTP/1.1
Host: targetservice dot pl

Result:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 01 Mar 2013 20:29:55 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
X-Pingback: http://targetservice dot pl/xmlrpc.php

17586 bytes of data
Second query - visit from search engine.
GET / HTTP/1.1
Host: targetservice dot pl
Referer: http://www.google.com/search?q=targetservice dot pl

Result:
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Fri, 01 Mar 2013 20:29:55 GMT
Location: htXp://fpert.qpoe.com/
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html
External iFrames on targetservice.pl
No suspicious iFrames found.
Suspicious JavaScript code on targetservice.pl (0 warnings in 16 scripts)

Note: this is a beta version of JS code scanner. Results are not 100% accurate.
There is no suspicious JS code found,

polonus

[polonus]

How did this occur? Well this was another xmlrpcphp-file hack. Re: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
(link article posted by Holy Shmoly)
Evidence comes here:
Header returned by request for: htxp://targetservice.pl/xmlrpc.php

HTTP/1.1 302 Moved Temporarily
Date: Fri, 01 Mar 2013 20:39:56 GMT
Server: Apache
Location: htxp://fpert.qpoe.com/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close

As of 2.6 you can deactivate XML-RPC from within your Dashboard. Settings -> Writing and scroll down to Remote Publishing where you will see a checkbox to activate/deactivate remote publishing. (Enable the WordPress, Movable Type, MetaWeblog and Blogger XML-RPC publishing protocols.)

If you're constantly getting hacked make sure you're using the latest version of WP. Have you checked your plugins? Perhaps you're using an outdated/vulnerable one? You may want to read:  http://codex.wordpress.org/Hardening_WordPress

Quote taken from http://wordpress.org/support/topic/xmlrpcphp-file-necessary-getting-hacked-can-i-remove-the-file (link quote author = len)

polonus

[!Donovan]

Hi Polonus,

Excellent analysis of the suspect site. I wouldn't have figured it out myself. It's also interesting that the xmlrpc.php exploit was used, as recently reported on The WAR here: http://websiteanalystsresource.wordpress.com/2013/02/20/xmlrpc-php-malware/

I hope to use this newly obtained knowledge in the near future.

Many Thanks,
~!Donovan

[polonus]

Hi !Donovan,

You are welcome, my friend. But not so modest as you helped me to get at that detection in some respects. Well bookmark these scanners at http://evuln.com/tools/
Relying on "good old" google safe browsing detection and their javascript beta scanner, they might come up there with some new detections that were missed at sucuri's.
Keep up the good work at the WAR site for us,

Damian