Recently, there have been an increasing number of cases where sites have been tampered with, redirecting users to a fake Windows virus removal page or PC repair page only when accessing the site via Google.
In this issue, we will deliver an explanation of this case and countermeasures.
Case Study of Redirect Hack Tampering on a WordPress Site
The following symptoms appear on the site.
When users jump to the site from search results, they are forcibly redirected to a site that is different from the intended page.
In some cases, audio may be played forcibly on sites that urge users to disinfect Windows viruses or restore their PCs.
Symptoms do not always appear, but may appear only the first time or with random probability.
What kind of code is embedded in the site?
A recent trend in redirect hacks is to load a malicious JS file into the site. This JS file is executed when the page is loaded and executes code that redirects the user to another site with random probability.
As an example, the following code is inserted after the link in the post. (The hacker searches for the link string in the post and mechanically sneaks the malicious code afterwards.)
<script src="http://XXXX/jquery.js"></script>
If your site is getting redirected for visits from search results, please check for malicious scripts embedded in that post.
It may also be the case that the site’s theme files header.php and footer.php have been tampered with so that the incorrect JS is loaded on all pages.
Example of header file tampering
The above is an example of malicious code that has been obfuscated (made difficult for people to read) and written into the theme’s header.php, which is loaded on all pages.
How do hackers deface sites?
How do hackers perform such tampering? The most common way is to alter files from the admin screen by taking away administrative privileges. Once they have gained administrator privileges, they can alter files from the admin screen and embed malicious code, called a backdoor, that can easily be used to alter the site in the future.
Example of backdoor code
The above code contains obfuscated POST and GET codes that receive information via a browser, and Evel, which converts the received information into an executable program.
Two main methods are often used to take away administrative privileges.
(1) Exploiting vulnerabilities in WordPress itself or plug-ins to gain administrative privileges.
(2) By running the login operation tens of thousands of times from the login screen using software to retrieve the password and steal administrative privileges.
In the case of (1), security can be improved by keeping WordPress and plug-ins up-to-date. In the case of (2), it can be prevented by using a function called “login lockdown” that prohibits login for several minutes after a certain number of failed login attempts, changing the URL of the login page, and changing the password to one that contains at least 12 one-byte alphanumeric characters and symbols.
Special Cases of Redirect Hacks
There are cases where a site has been invaded by a redirect hack even though WordPress and official plug-ins are used and have not been tampered with. This is an actual case.
Plug-ins distributed on official sites contain tampering code.
Reference article: The case of the suspension of the Display Widgets plugin containing malware and how to deal with it
(We will not reveal the name of the company, but after inquiring with the company, we received a response that they are reviewing their advertisements due to a number of similar cases.)
Computers and smartphones that are viewing the site are infected with a virus.
Reference article Norton: How to eliminate browser hijacker malware
What to do if you have already been hacked
Please note that updating WordPress itself or the plug-ins may not remove the backdoor, other tampered files, or tampered embedding in posts if the site has already been hacked.
Also, once administrator privileges have been taken away, hackers can re-enter through the backdoor.
At WordPress Doctor, we have experience in recovering from hundreds of tampering incidents and have the know-how to take security measures to prevent further tampering.
We will thoroughly remove the tampered files and backdoors from our database of tampered files and install security measures on your site to make it difficult for hackers to hack your site in the future.
Free site tampering code scanning and detection – WordPress Doctor: Malware Scanning Plugin