Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Redirect from mydomain.com/textpattern
Ok I’ve got hacked, well, I presume so. When I’m visiting my panel link I’m getting redirect to http://iosoffer.mobi/cpa/?offer_id=24&stream=2451 (then about 2-4 redirects) and my iphone opens AppStore on LitRes reading app. Not every visit, but about 1 from 10 visits. Malware? What should I do?
Offline
Re: Redirect from mydomain.com/textpattern
can you visit your diagnostics page on http://www.yoursite.tld/textpattern/?event=diag ?
If so, check if any files have been modified. Alternatively, connect via ftp and check if there are any files there which you do not recognise.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Redirect from mydomain.com/textpattern
I’ll try the FTP way – I don’t really understand how to use the diag tab – should I look for a hash check on php files?
Offline
Re: Redirect from mydomain.com/textpattern
All you need to do in the diagnostics tab is visit it and see if there are ant warnings regarding modifications on files. If all is ok you will get a message that All checks passed!
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Redirect from mydomain.com/textpattern
I’m getting “all checks passed” as always.
.htaccess is OK too.
The redirect happens once then and now and only on my iphone.
At least I haven’t seen it on my windows pc.
If anyone have an ios device – please come visit my login page – the website link is in my just add /textpattern
Last edited by maratnugmanov (2013-07-04 07:48:11)
Offline
Re: Redirect from mydomain.com/textpattern
Maybe as a precaution copy a fresh set of Textpattern files back onto your server (apart from config.php and the setup directory – also take care not to overwrite any plugin extras if they have installed their own files).
Offline
Re: Redirect from mydomain.com/textpattern
colak wrote:
All you need to do in the diagnostics tab is visit it and see if there are ant warnings regarding modifications on files.
I wouldn’t recommend trusting the diagnostics panel when it comes security. The tab is merely only meant for confirming configuration, troubleshooting and post-install verifications, but you really can’t use diagnostics report for security purposes.
On compromised websites the report is pretty much useless. The diagnostics tab can be modified too, and so can the checksums. The checksum validation is not designed to be secure, but only for verifying the status of core files (only core files, not all files or all code) after or before updates (e.g. for transfer failures, mods). Files are verified against a list of embedded checksums, and anyone that has access to the server, can update those stored hashes so that the files do not appear modified.
Offline
#8 2013-07-04 11:09:04
- uli
- Moderator
- From: Cologne
- Registered: 2006-08-15
- Posts: 4,304
Re: Redirect from mydomain.com/textpattern
I’d also change the whole set of passwords: DB, FTP, TXP Login.
In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links
Offline
Re: Redirect from mydomain.com/textpattern
uli wrote:
I’d also change the whole set of passwords: DB, FTP, TXP Login.
If website is compromised and there’s a hole opened it won’t help on the long run.
As for hashes – they are identical on my offline backup (about a month or two old) and online site.
Offline
Re: Redirect from mydomain.com/textpattern
I’ve checked php files datas and size – all the same as standard 4.5.4
Could it be in the DB?
Offline
Re: Redirect from mydomain.com/textpattern
Hi Marat, Everything is possible. If you haven’t installed smd_where_used yet, do install it and search for iosoffer in your db. Note that I do not think that the plugin will search the whole of it but maybe somebody here will be able to advice for a mysql command which can do that.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Redirect from mydomain.com/textpattern
My hoster’s answer just came. It says “problem should be solved by now. Please check”, so I guess that I was infected on the server level. It seems to be true – I’ve double checked all the files yesterday.
Offline