GetSimple Support Forum
Injection / Google result redirect - Printable Version

+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16)
+--- Thread: Injection / Google result redirect (/showthread.php?tid=9451)



Injection / Google result redirect - vppromoter - 2016-12-08

Hello,
my brother has the website: www.victorpaukstelis.com
GetSimple Version 3.2.3
PHP Version 5.6.16
Shared hosting

When you will type into Google "Victor Paukstelis", you will see that the website is redirected to a website which sells Windows 7, also the description is altered:

http://take.ms/FaofZ
[Image: Epy7MJZOyy4g5ezR21B2aknYGwqGu6.png]

The programmer tried to find where is the source of this problem, tried erasing code in index file but it didn't help. He even tried to lock it with permissions but it also didn't help. Sys admin is saying that he would need to check whole code to see where it could be and it could cost enormous money.

Other site (Wordpress) also had same issue in same hosting account but it was erased without any problems and without recovery.

Anyone has a clue?

Thank you,
Vytautas


RE: Injection / Google result redirect - shawn_a - 2016-12-09

It would not "cost enormous money"

send me a archive backup and I would find it in 2 minutes

For it to be redirecting there is probably some kind of injected code somewhere, and it might have come from his own webhost and not GS, could be a shared host hack.

Either way , GS can be completly removed and reinstalled from scratch, only thing you need to keep is the data/ folder
and the website.xml or just reconfig the site.

only thing you need to check is data folder
custom themes may also be infected if you can not reinstall it, it might need to be cleaned.

Most likely cause, is dns hijacks and not the site, but the site is down so you cannot confirm if it was a http redirect or what.
Site seems to be down and problem went away , so maybe an htaccess injection outside of GS even.


RE: Injection / Google result redirect - vppromoter - 2016-12-09

(2016-12-09, 02:19:52)It\s same again.. It's hijacked in the same way as it was from the start :|Then programmer cleaned it when downloaded the files and after that it re-appears..I gave the info to my programmer. Will update. shawn_a Wrote: It would not "cost enormous money"

send me a archive backup and I would find it in 2 minutes

For it to be redirecting there is probably some kind of injected code somewhere, and it might have come from his own webhost and not GS, could be a shared host hack.

Either way , GS can be completly removed and reinstalled from scratch, only thing you need to keep is the data/ folder
and the website.xml or just reconfig the site.

only thing you need to check is data folder
custom themes may also be infected if you can not reinstall it, it might need to be cleaned.

Most likely cause, is dns hijacks and not the site, but the site is down so you cannot confirm if it was a http redirect or what.
Site seems to be down and problem went away , so maybe an htaccess injection outside of GS even.



RE: Injection / Google result redirect - Artur - 2016-12-09

So, if it's still visible, change your hosting provider. Sometimes viruses can attack whole account, I had same problem with Wordpress.


RE: Injection / Google result redirect - shawn_a - 2016-12-18

sorry it took so long to look at your archive like i said 5 minutes.

you have at least 2 php shells running, which is being used to modify index.php, i have no idea what else might have been modified, i did not do a full site inspection since it was so obvious to find these.

I have no idea where they might have came from or how they were added to your site, but i suspect crappy plugins, like imagizer or some other stuff you have that should not be used, like why is there a plugin in your root directory called plugin cycle ? no idea what that is. could also be any other plugin or upload capable plugin, but i have a feeling you were infected from inside your host, because there is a non GS folder with a shell in it with the name of the domain.

either way you need a full clean fresh install and remove all this extra crap that is not part of your site, maxosx folders?
themes not used
plugin snot used or not needed
old site ?
backups?


RE: Injection / Google result redirect - shawn_a - 2016-12-18

you also have an index.php in your thumbs folder which is also been compromised, presumably by an image thumbnail script, again probably imagizer


RE: Injection / Google result redirect - shawn_a - 2016-12-18

Also your site says 3.3.13 but it is not, your files themselves are old, but configuration.php is new.
Some of your php files are old, and have known exploits in them that were patched, so i am guessing bad upgrade, do a new install make sure you have version 3.3.13.