Is your WordPress website redirecting users to unknown malicious sites? If yes, then your website might be hacked. The famous WordPress redirect hack is one of the most exploited WP hacks by the hackers. There’s a reason behind this being exploited so much, more on it below.
您的WordPress网站是否将用户重定向到未知的恶意网站?如果是,那么您的网站可能会被黑客入侵。着名的WordPress重定向黑客是黑客利用最多的WP黑客之一。这背后有一个原因被如此利用,下面将详细介绍。
‘WordPress hacked redirect’ to questionable domains isn’t a new hack. Over the years hackers have evolved this virus to make it more subtle and difficult for you to detect. Here are some of the variations of the WordPress redirection hack:
“WordPress被黑客入侵的重定向”到可疑的域并不是一个新的黑客攻击。多年来,黑客已经进化出这种病毒, 使它更微妙, 你更难检测.以下是WordPress重定向黑客的一些变体:
Hack Types | Symtoms |
---|---|
Classic Redirection Hack | The hacked redirect has been around since the longest time. Every time someone visits your website, they’re redirected to questionable links like pharma sites, adult websites etc. |
Redirection via Search Results | When website is opened by entering the URL in the browser, it opens fine. But when opened by searching on Google, it redirects to malicious websites. |
Device Specific WordPress Redirection | The website only redirects when opened from mobile device or only redirects when opened from desktop depending on what type of malware is present. |
Push Notifications Hack | We’ve seen this one since last few months where hackers also show browser push notifications to your visitors. Usually these push notifications point to porn websites. |
Geography Specific Redirection | In some cases, some visitors of yours might see a redirection and some might not. This could be because hackers program the malware to work only for certain geographies. Where exactly the malware redirects also can be tailored geography-wise by hackers. |
黑客类型 | 症状 |
---|---|
经典重定向黑客 | 被黑客入侵的重定向已经存在了很长时间。每次有人访问您的网站时,他们都会被重定向到可疑链接,如制药网站,成人网站等。 |
通过搜索结果重定向 | 通过在浏览器中输入URL打开网站时,它打开正常。但是,当通过在Google上搜索打开时,它会重定向到恶意网站。 |
设备特定的WordPress重定向 | 该网站仅在从移动设备打开时重定向,或者仅在从桌面打开时重定向,具体取决于存在的恶意软件类型。 |
推送通知黑客 | 自过去几个月以来,我们已经看到了这一点,黑客还会向您的访问者显示浏览器推送通知。通常这些推送通知指向色情网站。 |
特定于地理位置的重定向 | 在某些情况下,您的某些访问者可能会看到重定向,而有些访问者可能不会。这可能是因为黑客对恶意软件进行编程,使其仅适用于某些地区。恶意软件重定向的确切位置也可以由黑客根据地理位置进行定制。 |
A few examples of the pages where redirection malware redirects to.
重定向恶意软件重定向到的页面的几个示例。
WordPress site redirecting to spam site like Internet Gazeta (beginmattermovie2.live)
WordPress网站重定向到垃圾邮件网站,如Internet Gazeta(beginmattermovie2.live)
Currently, we are seeing cases in which the WordPress site is being redirected to links like travelinskydream[.]ga, track.lowerskyactive and outlook phishing pages.
目前,我们看到WordPress网站被重定向到像travelinskydream这样的链接。ga,track.lowerskyactive和outlook phishing pages。
Truth be told, there can be a dozen or more methods using which hackers can perform this hack. Some of them are listed below:
说实话,黑客可以使用十几种或更多方法执行此黑客攻击。下面列出了其中一些:
Recent Redirect Hack – WordPress site redirecting to digestcolect [.] com
最近的重定向黑客 - WordPress网站重定向到消化口[.com]
Vulnerabilities such as Stored Cross-site Scripting (XSS) in WordPress plugins make it possible for hackers to add malicious JavaScript code to your website. When hackers get to know that a plugin is vulnerable to XSS, they find all the sites that are using that plugin and try to hack it. Plugins such as WordPress Live Chat Support and Elementor Pro had been a target of such redirection hacks.
诸如WordPress插件中的存储跨站点脚本(XSS)之类的漏洞使黑客有可能将恶意JavaScript代码添加到您的网站。当黑客知道某个插件容易受到XSS的攻击时,他们会找到所有使用该插件的网站,并试图对其进行黑客攻击。WordPress Live Chat Support和Elementor Pro等插件一直是此类重定向黑客的目标。
When scanning a site for malware, more often than not the and files get ignored by free security plugins. For WordPress sites redirecting to Pharma websites, we’ve seen that bad code is added to the files disguised as any normal code. The hackers place the code in such a way that you cannot even find this code hidden in the file unless you scroll a lot to the right. This makes it more difficult to identify and remove such redirection hacks. Apart from these two files, you should also check all the WordPress core files such as , , , , etc…htaccesswp-config.php.htaccessfunctions.phpheader.phpfooter.phpwp-load.phpwp-settings.php
在扫描站点中的恶意软件时,和文件通常会被免费的安全插件忽略。对于重定向到制药网站的WordPress网站,我们已经看到不良代码被添加到伪装成任何正常代码的文件中。黑客以这样的方式放置代码,除非您向右滚动很多,否则您甚至无法找到隐藏在文件中的此代码。这使得识别和删除此类重定向黑客变得更加困难。除了这两个文件,您还应该检查所有WordPress核心文件,例如,,,等。.htaccesswp-config.php.htaccessfunctions.phpheader.phpfooter.phpwp-load.phpwp-settings.php
When scanning of our customer’s website for malware, we found the following code hidden in the file. It redirects website visitors to spammy & dangerous pharma websites…htaccess
在扫描客户网站的恶意软件时,我们发现文件中隐藏了以下代码。它将网站访问者重定向到垃圾和危险的制药网站。.htaccess
Malicious code in .htaccess
.htaccess 中的恶意代码
Some plugins & themes allow you to add code in the or just before tag. This can be useful to add JS code for Google Analytics, Facebook, Google Search console, etc. We’ve seen such features being abused by hackers for WordPress site redirection.
一些插件和主题允许您在标签中添加代码或就在标签之前添加代码。这对于为Google Analytics,Facebook,Google Search Console等添加JS代码非常有用。我们已经看到这些功能被黑客滥用于WordPress网站重定向。
In an attempt to make it difficult to search for, the malicious website URL is often converted from a string format to its respective character codes. The converted code looks something like this:
为了使搜索变得困难,恶意网站URL通常从字符串格式转换为其各自的字符代码。转换后的代码如下所示:
An example of malicious JavaScript in WordPress
WordPress中恶意JavaScript的示例
Due to privilege escalation vulnerabilities in plugins, it is sometimes possible for hackers to create ghost or fake admin users to your site. Once the hacker becomes an administrator, they get full access to your website and add backdoors and redirection code on your site.
由于插件中的权限提升漏洞,黑客有时可能会为您的网站创建幽灵或虚假的管理员用户。一旦黑客成为管理员,他们就可以完全访问您的网站,并在您的网站上添加后门和重定向代码。
Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for malicious codes:
攻击者可以通过在WordPress上的任何核心文件中注入代码来感染网站。检查这些文件是否存在恶意代码:
Some variants of the redirection malware infect ALL the JavaScript( files on the websites. This includes the JS files in the , plugin, theme folders, etc. The same obfuscated code is usually added at the top of each JS file.
重定向恶意软件的某些变体会感染网站上的所有 JavaScript( 文件。这包括、插件、主题文件夹等中的 JS 文件。相同的混淆代码通常添加到每个JS文件的顶部。
The and tables are the most targeted tables in a WordPress database. Spam site links & JS code is often found in each of your articles or pages.wp_postswp_options
表是WordPress数据库中最具针对性的表。垃圾邮件站点链接和JS代码通常可以在您的每篇文章或页面中找到。wp_postswp_options
Some malware creates rogue or random files on your server which contain malicious PHP code inside them. This malicious PHP code is known to perform dangerous actions on websites such as URL injection, creation of administrator accounts, installing spyware/trojans, creating phishing pages, etc.favicon.ico
某些恶意软件会在服务器上创建流氓或随机文件,其中包含恶意PHP代码。已知此恶意PHP代码会在网站上执行危险操作,例如URL注入,创建管理员帐户,安装间谍软件/特洛伊木马,创建网络钓鱼页面等。favicon.ico
It pollutes your server with spam files. These files contain malicious code within them instead of the genuine icon image code. Some of the code used to load such files can be seen below:
它用垃圾邮件文件污染您的服务器。这些文件包含恶意代码,而不是真正的图标图像代码。用于加载此类文件的一些代码如下所示:
@include "\x2f/sg\x62/fa\x76ico\x6e_54\x656ed\x2eico";
To get started with the malware scanning process, you’ll first have to identify the type of redirection hack that your site is facing. Once you’ve done that by referring to the steps given above, we’ll have to actually find the malicious code and remove it from your site.
要开始使用恶意软件扫描过程,您首先必须确定您的网站面临的重定向黑客类型。通过参考上述步骤完成此操作后,我们将必须实际找到恶意代码并将其从您的网站中删除。
You can either opt for an automated malware scanning solution or proceed with a manual approach. Here are some steps you can take for removing malicious redirects from your site & prevent the redirection hack:
您可以选择自动恶意软件扫描解决方案,也可以继续使用手动方法。以下是您可以从网站中删除恶意重定向并防止重定向黑客攻击的一些步骤:
For not-so-technical WordPress users, a malware removal solution such as Astra would be the fastest & easiest way to find, remove, and fix the WordPress redirection issue without breaking your site.
对于技术性较差的WordPress用户,像Astra这样的恶意软件删除解决方案将是查找,删除和修复WordPress重定向问题的最快,最简单的方法,而不会破坏您的网站。
If you want to manually scan your site and find a solution based on the type of redirection hack you are facing, follow each of the steps given ahead.
如果您想手动扫描您的网站并根据您面临的重定向黑客类型找到解决方案,请按照前面给出的每个步骤进行操作。
As a preliminary check, you can scan your site using tools such as Astra’s free Security Scanner and Google Safe Browsing. If your site has links to any blacklisted URLs, you will be alerted by these tools. You’ll also get a short list (not exhaustive) of some of the malicious code snippets found in your site. For a detailed scan, you would either have to scan all website files manually or get a malware scan done.
作为初步检查,您可以使用Astra的免费安全扫描程序和Google安全浏览等工具扫描您的网站。如果您的网站包含指向任何列入黑名单的网址的链接,这些工具会提醒您。您还将获得一个简短列表(并非详尽无遗),其中包含您网站中发现的一些恶意代码片段。对于详细的扫描,您必须手动扫描所有网站文件或完成恶意软件扫描。
To see if any malicious code has been injected into the core WordPress files, you can run a file integrity check using WP-CLI. To run such checks, follow these steps:
要查看是否有任何恶意代码被注入核心WordPress文件,您可以使用WP-CLI运行文件完整性检查。若要运行此类检查,请按照下列步骤操作:
翻译如下:
To see the difference between the original CMS file and the actual file visually, you can run a core file integrity scan with Astra.
要直观地查看原始CMS文件与实际文件之间的差异,您可以使用Astra运行核心文件完整性扫描。
File difference checking with Astra
使用阿斯特拉检查文件差异
Hackers usually leave a way to get back into your site. Backdoors are usually there in files which are named just like legitimate files.
黑客通常会留下一种方法来回到您的网站。后门通常存在于文件中,这些文件的名称与合法文件一样。
You can manually search your websites’ files for common malicious PHP functions such as , , , , , etc. Note that these functions are also used by WordPress plugins for legitimate reasons, so make sure you take a backup or get help such that you do not accidentally break the site.evalbase64_decodegzinflatepreg_replacestr_rot13eval
您可以手动搜索您网站的文件以查找常见的恶意 PHP 函数,例如 、 、 、 、 等。请注意,出于合法原因,WordPress插件也使用这些功能,因此请确保您进行备份或获得帮助,以免意外破坏网站。evalbase64_decodegzinflatepreg_replacestr_rot13eval
Login to your WordPress admin area, and check if any ghost/unknown administrator users have been added. Hackers routinely add themselves as an admin so that they retain access to your site and re-infect it even after you remove the redirection hack.
登录到您的WordPress管理区域,并检查是否添加了任何幽灵/未知管理员用户。黑客通常会将自己添加为管理员,以便他们保留对您网站的访问权限,并在您删除重定向黑客后重新感染它。
If you find any such users, quickly delete the accounts and change passwords for all other Admin accounts.
如果找到任何此类用户,请快速删除帐户并更改所有其他管理员帐户的密码。
While you’re at it, also make sure (depending on your website’s requirement) that the Membership option called “Anyone can register” is disabled and the option “New User Default Role” is set to Subscriber.
当您使用它时,还要确保(取决于您网站的要求)禁用名为“任何人都可以注册”的“成员资格”选项,并将“新用户默认角色”选项设置为“订阅者”。
Click on ‘Plugins’ in the left panel to see all the plugins that are installed on your site. If you see any unknown plugins, delete them.
单击左侧面板中的“插件”以查看您网站上安装的所有插件。如果您看到任何未知插件,请将其删除。
For plugins that have updates available, check on the WordPress plugin changelog if any recent security issues have been found. Also, scan the plugin files for backdoors and redirection code as mentioned in step #4 above.
对于具有可用更新的插件,请检查WordPress插件更改日志中是否发现了任何最近的安全问题。另外,扫描插件文件中的后门和重定向代码,如上面的步骤#4中所述。
Sample of the malicious code injected in the header.php file
标头文件中注入的恶意代码header.php文件
Use online tools (For e.g. diff checker) to compare your plugin files with the original ones. You can do this by downloading the same plugins from the WordPress plugin repository and them matching your installed plugins against these.
使用在线工具(例如差异检查器)将您的插件文件与原始文件进行比较。您可以通过从WordPress插件存储库下载相同的插件来执行此操作,并且它们将已安装的插件与这些插件进行匹配。
However, this also has a set of limitations. Since you would be using multiple plugins, it is not always possible to compare each and every file. Also, if the the redirection hack is because of a zero day, then chances are that an update for the plugin is not available.
但是,这也有一组限制。由于您将使用多个插件,因此并不总是可以比较每个文件。此外,如果重定向黑客是因为零日,那么插件的更新可能不可用。
You can manually search your WordPress database for common malicious PHP functions like we did to find backdoors. Login to a database management tool such as phpMyAdmin or Adminer. Select the database used by your site and search for terms such as as , , , , , , etc.
<script>evalbase64_decodegzinflatepreg_replacestr_replace
您可以手动搜索WordPress数据库中常见的恶意PHP函数,就像我们找到后门一样。登录到数据库管理工具,如phpMyAdmin或Adminer。选择您的网站使用的数据库,然后搜索诸如 、、、等字词。
<script>evalbase64_decodegzinflatepreg_replacestr_replace
Be really careful before you make any changes, as even a tiny change such as a space has the potential to break the site from loading or function properly.
在进行任何更改之前要非常小心,因为即使是微小的更改(例如空间)也有可能破坏网站的加载或正常运行。
Now that you’ve scanned your site and have identified the malicious code, we need to remove it.
现在,您已经扫描了您的网站并识别了恶意代码,我们需要将其删除。
Example:findsed
find /path/to/your/folder -name “.js” -exec sed -i “s//ReplaceWithMalwareCode*//n&/g” ‘{}’ ;
的福建烤老鼠放假
例:findsed
find /path/to/your/folder -name “.js” -exec sed -i “s//ReplaceWithMalwareCode*//n&/g” ‘{}’ ;
With Astra’s award winning Website Protection solution which includes website firewall and malware scanner, your website will be thoroughly scanned & well-protected from not just the WordPress redirection hack but also from backdoors, viruses, trojans etc.
借助Astra屡获殊荣的网站保护解决方案,其中包括网站防火墙和恶意软件扫描程序,您的网站将受到彻底扫描和良好保护,不仅可以防止WordPress重定向黑客攻击,还可以防止后门,病毒,特洛伊木马等。
Since redirection malware is so prevalent, we’ve made a detailed step-by-step video on fixing redirection hacks. Though hackers always keep on updating their methods to avoid coming on the radar of security companies, the underlying principle is the same.
由于重定向恶意软件非常普遍,因此我们制作了有关修复重定向黑客的详细分步视频。尽管黑客总是不断更新他们的方法,以避免成为安全公司的雷达,但基本原理是相同的。
Also, check our detailed guide How to Fix Unwanted Pop-Ups in your WordPress Website
另外,请查看我们的详细指南 如何修复WordPress网站中不需要的弹出窗口
Hackers are always evolving their methods, exploiting vulnerabilities not known to the world, and combining various exploits to create a hack. While removing the hack is one part, ensuring one never gets hacked requires something more permanent – like Astra’s Security suite
黑客总是在发展他们的方法,利用世界上不知道的漏洞,并结合各种漏洞来创建黑客攻击。虽然消除黑客攻击是其中的一部分,但确保一个人永远不会被黑客入侵需要更永久的东西 - 比如Astra的安全套件