Close

June 7, 2014

Malicious redirects

I noticed that my site’s shared link is doing a conditional redirect to the URL *.ignorelist.com, I did some digging and it was a php hack (and most likely) from a plugin or a free theme you downloaded through the admin page. The hack was done with something like this:

eval(base64_decode("DQplcnJvcl9RpbmcoMCk7DQokcWF6cGxt...(snipped a bit)...mlnbm9yZWxpc3QuYeGl0KCk7DQp9Cn0NCn0NCn0NCn0="));

Start by checking for “eval(base64_decode” your files then the common files like headers and footers, then themes/plugins and core files. With WordPress sites these are some common files that hackers hit –wp-load.php, wp-config.php.

I used Sublime Text to look for the code and the hack in wp-config.php. I have no idea which plugin or theme that caused this problem but there is a lesson here. Do not use the admin to install new themes and plugins unless you are certain that the files does not have any obfuscated php code.

You can check your site if there is any malware using evuln.com’s malware-scanner tool.

%d bloggers like this: