Injection / Google result redirect

[vppromoter]

Hello,
my brother has the website: www.victorpaukstelis.com
GetSimple Version 3.2.3
PHP Version 5.6.16
Shared hosting

When you will type into Google "Victor Paukstelis", you will see that the website is redirected to a website which sells Windows 7, also the description is altered:

http://take.ms/FaofZ


The programmer tried to find where is the source of this problem, tried erasing code in index file but it didn't help. He even tried to lock it with permissions but it also didn't help. Sys admin is saying that he would need to check whole code to see where it could be and it could cost enormous money.

Other site (Wordpress) also had same issue in same hosting account but it was erased without any problems and without recovery.

Anyone has a clue?

Thank you,
Vytautas

[shawn_a]

It would not "cost enormous money"

send me a archive backup and I would find it in 2 minutes

For it to be redirecting there is probably some kind of injected code somewhere, and it might have come from his own webhost and not GS, could be a shared host hack.

Either way , GS can be completly removed and reinstalled from scratch, only thing you need to keep is the data/ folder
and the website.xml or just reconfig the site.

only thing you need to check is data folder
custom themes may also be infected if you can not reinstall it, it might need to be cleaned.

Most likely cause, is dns hijacks and not the site, but the site is down so you cannot confirm if it was a http redirect or what.
Site seems to be down and problem went away , so maybe an htaccess injection outside of GS even.

[vppromoter]

It would not "cost enormous money"

send me a archive backup and I would find it in 2 minutes

For it to be redirecting there is probably some kind of injected code somewhere, and it might have come from his own webhost and not GS, could be a shared host hack.

Either way , GS can be completly removed and reinstalled from scratch, only thing you need to keep is the data/ folder
and the website.xml or just reconfig the site.

only thing you need to check is data folder
custom themes may also be infected if you can not reinstall it, it might need to be cleaned.

Most likely cause, is dns hijacks and not the site, but the site is down so you cannot confirm if it was a http redirect or what.
Site seems to be down and problem went away , so maybe an htaccess injection outside of GS even.

[Artur]

So, if it's still visible, change your hosting provider. Sometimes viruses can attack whole account, I had same problem with Wordpress.

[shawn_a]

sorry it took so long to look at your archive like i said 5 minutes.

you have at least 2 php shells running, which is being used to modify index.php, i have no idea what else might have been modified, i did not do a full site inspection since it was so obvious to find these.

I have no idea where they might have came from or how they were added to your site, but i suspect crappy plugins, like imagizer or some other stuff you have that should not be used, like why is there a plugin in your root directory called plugin cycle ? no idea what that is. could also be any other plugin or upload capable plugin, but i have a feeling you were infected from inside your host, because there is a non GS folder with a shell in it with the name of the domain.

either way you need a full clean fresh install and remove all this extra crap that is not part of your site, maxosx folders?
themes not used
plugin snot used or not needed
old site ?
backups?

[shawn_a]

you also have an index.php in your thumbs folder which is also been compromised, presumably by an image thumbnail script, again probably imagizer

[shawn_a]

Also your site says 3.3.13 but it is not, your files themselves are old, but configuration.php is new.
Some of your php files are old, and have known exploits in them that were patched, so i am guessing bad upgrade, do a new install make sure you have version 3.3.13.