How to Recover from Malicious Redirect Malware Hack

How to Recover from Malicious Redirect Malware Hack

One of the most popular tactics of malicious attackers is to add malicious redirect malware to a site for the purpose of driving traffic to another site. This can be detrimental not only to the site owner, but to site visitors as well. A malicious redirect often brings an unsuspecting site visitor to spam sites or even sites that could infect the user’s computer with malware that can be tricky to eliminate.

In this post, we’ll talk about what malicious redirect malware is, why hackers use this tactic, how to determine whether or not your site is affected by this malware, and some possible solutions to recovering your site from the effects of malicious redirect malware.

As well, we’ll outline some important steps to ensure that your site remains protected once recovered.

What Is Malicious Redirect Malware?

A malicious redirect is code, usually Javascript, that is inserted into a website with the intent of redirecting the site visitor to another website. Often, this malicious malware is added to a WordPress website by attackers with the intent of generating advertising impressions on another site. However, some malicious redirections can have more serious implications. A more serious malicious redirect can exploit potential vulnerabilities in a site visitor’s computer. This type of malware aims to install malware that infects a personal computer with malicious malware that can be very damaging to a user’s Mac or Windows computer.

Determining if your site is infected

Site owners might be unaware that their site is redirecting. Often, malicious redirects are hidden so that only non-authenticated (users that aren’t logged in) are redirected. Or, it might detect the browser that the user is using when visiting the site and redirect only with that particular browser. For example, if they are aiming to exploit a personal computer with malware that can only infect vulnerable versions of Chrome, only those using that version as detected by the malicious script will get redirected. It might take some investigation to determine what is going on.

A site owner could attempt to replicate the redirection that was reported by a customer, only to see that everything looks fine to them on their computer. Site visitors on mobile platforms might at the very same time experience malicious activity. The redirect might happen on some pages and not others. Or, it might happen before the site even loads.

Why Is My WordPress Site Redirecting To Another Site?

If your site is redirecting, there are a few methods that attackers can use to create a redirect. Of course, these can all be very valid ways of creating a redirect, however in malicious instances, these are definitely not in the site visitor’s best interests. Here are some methods attackers use to redirect. Primary methods of redirect include either a .htaccess redirect or a Javascript redirect. In rare cases, you might find a HTTP header (e.g., META HTTP-EQUIV=REFRESH redirect) but these are rare. In many cases, the redirect is obfuscated, meaning that functions are used to hide the true intention of the code. This obfuscation is often the first key that something is wrong, but attackers are betting that most WordPress site owners will be intimidated by the obfuscation and not want to dig deeper.

Where Exactly is the Redirect Infection Located?

There are several areas where hackers will insert their malicious code to cause a WordPress redirect hack to happen.

1. PHP files

An attacker can infect your site by inserting code into any of the WordPress core files. These are some of the files that may contain the malicious code that’s causing your problem:

Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for malicious code. If you’re unsure of what code is malicious and what is not, you can always compare the files to known good copies of WordPress core or your theme and plugin files

  • index.php
  • wp-config.php
  • wp-settings.php
  • wp-load.php
  • .htaccess
  • Theme files (wp-content/themes/{themeName}/)
    • header.php
    • functions.php
    • footer.php

2. JavaScript files

Some of the variants of redirect malware will impact all JavaScript (.js) files on your site. This will include the Javascript files in the plugin, theme folders, and wp-includes.

And typically, the same malicious code will be added at the very top or bottom of each JavaScript file.

3. The .htaccess file

Your .htaccess file is a set of directives that tell your web server what to do as soon as it receives a request from a site visitor. It engages before PHP, before any calls to your database, and it can detect certain “environment variables” that tell your server a little about the system a user is on, such as their browser, the type of computer, and even if the request for your site’s pages is coming from a search engine crawler.

If you’re unfamiliar what a normal WordPress .htaccess file looks like, much of the code in .htaccess can be confusing. And, if you download the .htaccess file to your hard drive to take a deeper look, it can often disappear on you with many personal computers considering this file type as a “hidden file.”

The very common Pharma hack where malicious code is added into the .htaccess file will often only redirect site visitors if they are coming from a search engine result page.

Hackers place their malicious code in a way that you can’t find it hidden within the file unless you scroll far to the right. This makes it a lot harder to spot and remove these redirection hacks.

3. The WordPress database

The wp_options and wp_posts tables are typically the tables in a WordPress database that are targeted by hackers inserting malicious redirects. Javascript code can be found embedded into each of your posts or even all of them. You can often also find redirections in your wp_options table if they are hidden in widgets.

4. Fake favicon.ico files

Malware exists that will create a random .ico file or rogue favicon.ico file on your site’s server, which will contain malicious PHP code. These .ico files will contain the malicious redirect that is then included in another file on your site.

@include "/home/sitename/";

Recovering from a malicious redirect quickly

If you’ve been hit with a malicious redirect hack, the fastest and easiest way to recover from this type of malware is to restore from a known good backup. If you’re taking regular backups of your site with BackupBuddy, then you know you’ve got a recent backup that contains a good copy of your site. Restoring your site from a known good backup is an excellent way to get your site back up and running quickly.

Of course, if you’re running a site that has content that changes frequently, the best defense against a malicious redirect is a good recent backup, and intrusion detection so you are alerted quickly to a problem. In this way, you can take action quickly and minimize downtime.

Of course, then you must turn to your access logs to determine how the hacker got in to place the redirect as well.

A note about add-on domains

One of the most common ways that WordPress sites get hacked is from unmaintained add-on domains or additional installations of WordPress in your hosting account. Maybe you set up a test site to see if something might work in the same account, and you forgot about that install. A hacker discovers it and exploits vulnerabilities in the unmaintained site to install malware on your main site. Or, maybe you have your family member’s site also hosted in the same space to save money, but they are reusing compromised passwords.

It’s always best to have one WordPress site in one hosting account, or if you are using multiple sites in the same hosting account, ensure that they are isolated from one another and use a different server-based user for each site. In this way, cross-contamination from one vulnerable site to another adjacent site cannot happen.

If you do have more than one site in your hosting account, you’ll need to treat all sites running in the same space (e.g., all sites running under public_html) as if they are all contaminated with malicious redirect malware. If you do have a case like this, make sure that each of these steps is done for each of the sites within that hosting instance. If you’re unsure, check with your hosting provider.

Scanning your site for WordPress redirect hack malware

If you don’t have a recent clean backup, you can still remove malware on your own. Doing so can be a tedious process, and you’ll need to look for more than just redirect malware. It is most common for redirect malware to be accompanied by other malware including backdoors and rogue admin users, and you’ll also need to determine how the hacker got in, often called the “intrusion vector.” Not taking a holistic approach towards malware removal ensures that the redirection problem will come back.

iThemes Security Pro has a File Change Detection feature that will alert you if any file changes occur on your website, such as changes that would indicate a redirect hack or backdoors.

Here is our recommended malware removal process.

1. Backup the site

Yes, even though the site is infected, you’ll want to preserve the evidence of what has happened. Consider any hack a crime scene, and you’ll want to know what happened, and when. File timestamps will be helpful in your investigation when you determine how the intrusion happened so you can prevent it from happening again.

2. Determine if you need to take the site down

With a malicious redirect, you might want to temporarily take your site down for maintenance. Not all redirects would warrant this, but if your site is redirecting to a place that might harm a user’s computer, taking the site down for a time would prevent further damage.

If you think the hacker might still be active on the site (if you don’t know, assume they are), taking the site down and making it inaccessible can prevent further damage.

Each situation will be different; you’ll need to make this determination based on what is happening.

3. Copy the site to a local drive

Keeping your backup, copy the site to a local drive. We recommend doing a cleanup on a local drive using a text editor and comparing locally and reviewing all files — from your PHP and Javascript files to your .htaccess files — in a local situation that is inaccessible to the internet. In this way, you have a controlled environment to examine files. You can download a fresh copy of WordPress, your theme, and your plugins and do file comparisons to your hacked site to see which files were changed, and which files simply do not belong. There are numerous file comparison tools that you can use.

4. Remove redirections and hidden backdoors

As you look through your files, you can either replace files that have malware in them with known good copies or if you are comfortable in doing so, you can remove the files that shouldn’t be there (usually backdoors) and the lines of code that shouldn’t be there with a text editor.

Check your /wp-content/uploads directory and all of the sub-directories for PHP files that shouldn’t be there.

Some files will be different than anything you get downloaded from the repository. These files include your .htaccess file and your wp-config.php file. These will need to be examined closely for any errant malicious code. Both can contain redirects, and the wp-config.php file can contain backdoors.

5. Upload your cleaned files to your server

To wipe out all malware at once, preventing access to any backdoors that were active on the hacked site, upload your cleaned site adjacent to your hacked site. For example, if you hacked site is under /public_html/ then upload your clean site next to it at /public_html_clean/. Once there, rename the live /public_html/ directory to /public_html_hacked/ and rename the /public_html_clean/ to public_html. This only takes a few seconds and minimizes downtime if you chose not to take your site down at the start of the cleaning process. It also prevents you from trying to clean a hacked live site under attack by playing “whack-a-mole” with an active attacker.

Now that the files are cleaned, you still have some work to do. Double-check that the site looks ok on the front end, as well as within wp-admin.

6. Look for malicious admin users

Look for any malicious administrative users that were added to your site. Head to wp-admin > users and double-check that all admin users are valid.

7. Change all administrative passwords

Consider all admin accounts to be compromised and set up new passwords for all.

8. Protect against malicious registrations

Head to wp-admin > settings > general and make sure that the setting for “Membership” named “Anyone Can Register” is disabled. If you need users to register, ensure that the “New User Default Role” is set only to Subscriber and not to Admin or Editor.

9. Search the Database For Any Malicious Links

Search your WordPress database manually for malicious PHP functions in a similar way as you did for finding problems in the file system. To do this, log in to PHPMyAdmin or another database management tool and select the database your site is using.

Then search for terms like:

  • Eval
  • script
  • Gzinflate
  • Base64_decode
  • Str_replace
  • preg_replace

Just be extremely careful before you change anything in the database. Even a very small change, like accidentally adding a space, can bring your site down or keep it from loading properly.

10. Secure the site

Because there has been an intrusion, you need to assume that everything associated with your site has been compromised. Change your database password in your hosting account panel, and credentials in your wp-config.php file so that your WordPress site can log into your WordPress database.

Also, change your SFTP/FTP password, and even the password to your cPanel or hosting account.

11. Check for problems with Google

Login to your Google Search Console and see if you have any malicious site warnings. If so, review them to see if your fixes have solved the problem. If so, ask for a review.

12. Install iThemes Security

If you have not yet installed and configured iThemes Security, now is the best time. iThemes Security is the best way to keep your site from intrusion

13. Update or remove any vulnerable software

If you have any software, themes, plugins, or core, that require an update, update them now. If there is a vulnerability in a plugin that you are using that has not been patched (you can check using iThemes Security), deactivate and completely remove that software from your site.

At this point, if you’ve locked down your site, you can remove the maintenance notification to make your site accessible again.

Prevent another intrusion

Once you’ve got your site locked down and live, it’s critical that you take steps to prevent intrusion from happening again. Check your log files to see how the intrusion happened in the first place. Was it vulnerable software? Was it a compromised admin user account? Was it cross-contamination from an adjacent, unmaintained WordPress installation? Knowing how the intrusion happened will inform you to take steps to keep it from happening again in the future.

And, using iThemes Security is an important first step towards keeping your site safe.

WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. Attackers assume that WordPress users have less security knowledge, so they find WordPress sites that aren’t protected and exploit bad passwords, reused passwords, or vulnerable software to gain a foothold in unsuspecting hosting accounts.

Verizon’s DBIR Report for 2022 reports that over 80% of breaches can be attributed to stolen credentials, and there has been a 30% increase in stolen credentials as a primary intrusion vector versus vulnerability exploitation. This is one of the reasons iThemes Security prioritizes user credential innovations like passkeys and two-factor authentication to protect WordPress sites from these intrusions.

If you’ve seen anything in this article at all, we hope it is how important that you take security seriously BEFORE a breach. You can save countless hours of headaches reviewing code with just a few setps. Use BackupBuddy to make recovery so much easier and protect against unauthorized access using iThemes Security Pro.

iThemes Team

Keep reading the article at WordPress News | iThemes Blog. The article was originally written by iThemes Editorial Team on 2022-10-18 11:20:35.

The article was hand-picked and curated for you by the Editorial Team of WP Archives.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

Your email address will not be published. Required fields are marked *

Show Your ❤️ Love! Like Us
Scroll to Top