Site Redirects To Porn On iPad

Hope your site is not hacked. I think you need to start working your way through these resources:

How to clean and fix hacked WP blog:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/
https://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/
https://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/
https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/

Harden your WP installation: https://codex.www.ads-software.com/Hardening_WordPress

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

You should download Wordfence Security.

Thanks very much both of you. I scanned the site with Wordfence and then deleted the code that was causing the redirect from the .htaccess file and I think it’s working now!

Make sure there is no backdoor. See list of resources in my previous post

For developers, here is how you remove the malicious code that causes this redirect.

So basically what you want to search for in your code is the ‘str_replace(‘ function. It will be obvious in your search which files are infected, as there are several hundred encrypted characters side by side in your file.

Check out the attached screenshot. What made this tricky is the beginning of the code starts with <?php , but then has about 1000 blank spaces before the malicious code starts (sneaky bastards). What also made this tricky is the timestamp on the files shows up as unchanged, so they do not look suspect just by viewing them via ftp. It seemed to infect all of my files named index.php, header.php, and functions.php. As well as some various other files. The code is isolated to the very first line of code in all the files.

Hope someone else may find this helpful.

noslenwerd: I’m having a redirect on my site now. Where do you put that code for the search. I’m not a developer so be gentle.

Thanks.

Hello…wanted to share the code that a hacker placed on a client’s wordpress site. I went ahead and ran it through a couple iterations of base64 decoding to get the actual code.

Encoded Launch Code embedded in your PHP pages (variables are different on each page, so search for the “<?php (and 20+ spaces)”
https://ideone.com/73pfAL

Decoded Hack
https://ideone.com/MEg3wO

They place the code typically in the header.php, index.php, functions.php and wp-config.php, but I would check your entire directory. It’s not obvious the code is there if you don’t have word wrap on. They inject it at the top, starting with “<?php (100s more spaces)” until it’s way off screen to the right. You’ll know it when you see it. It’s a nifty little bugger that uses arrays and the chr() function to build an “eval()” statement. That then runs the main hack.

The basic functionality is that it runs only on iphones and ipads. They redirect you to a mock up of the iTunes store to download a porn app called “BaDoink”. It captures your IP address and places it in a file they created in a temp directory or the root of your WP installment. It’s named “.. “. You typically just overlook it.

Anyway, hope this helps in case you find yourself or a client’s site hacked.?

Just be aware that removing the malicious code will only remove the symptom of the hack.

Hi Everyone,
How are things??…
@just MOE, I have a very similar issues in a few wp site, how you clean your client site?… Just deleting the code at top? What you done with the “…” file..

@andrew what you recommend???

I have use wordfence to found the infected files, but sometime it not found all….

All the best,

If you require assistance then, as per the Forum Welcome, please post your own topic instead of tagging onto someone else’s topic.

I am now closing this 10 month old, resolved, topic as it references an older version of WordPress.