E
E
eafanasov2013-03-17 01:33:54
Android
eafanasov, 2013-03-17 01:33:54

How to remove a redirect from a site?

I have my site in joomla.
A week ago, I discovered that when entering the site from mobile devices (smartphone, tablet), a redirect to the newflashplayer.ru phishing page occurs and an .apk file is immediately downloaded to the mobile device. I go from a desktop browser - everything is in order.
Checked - the .htaccess file is in order (did not change).
I checked the date of change of js scripts - also no new or recently edited ones ...
Tell me, where else to look?

Answer the question

In order to leave comments, you need to log in

10 answer(s)
A
admin4eg, 2013-03-17
@eafanasov

on the server, one of the clients had the same redirect exactly there, the
whole thing was in JS files
;document.write(unescape("%3C%73
, described in my blog

M
Meliborn, 2013-03-17
@Meliborn

Set yourself a User agent of some mobile phone and see the source code of the page.

H
Hungry_Hunter, 2013-03-17
@Hungry_Hunter

In addition to the htaccess file, you should search in php files for the following occurrences:
- eval
- base64_decode
- Location
- at the redirect address
In js files, you should also check for a redirect. The date the file was edited does not have to be different from the rest, because. it is not difficult to change it after editing.
In general, it is better to contact a specialist to remove malicious code and search for webshells on your server.

A
Alexey Sundukov, 2013-03-18
@alekciy

I highly recommend visiting the site from search engines. It doesn't matter which browser. It may also turn out that there is a redirect. And most likely it will turn out that they are already generated by the engine itself without JS.

S
Stalker_RED, 2013-03-17
@Stalker_RED

And in the page itself there are no javascript inserts? Yes, you can change the file modification date.

N
nelson, 2013-03-17
@nelson

I asked the author in a personal address of the site, looked. There really is a line at the end of javascript files (all) that starts with:
document.write(unescape(
all these lines must be removed, and the directory where they are located must be closed for writing on behalf of the user under which the web server is running. If the folder was created by FTP - usually it is enough to set the rights to 775.
(and the file modification date is easily faked, so you didn’t look there - but in vain)
And most likely you have a web shell flooded, you can also search for it - download yourself a copy of the site and search in PHP files the following:
eval(
/.*/e
passthru
(these lines can also be found in regular files)
But it's not a fact that you will find all the shells like this, so for reliability it is advisable to delete all files, except for pictures, and reinstall the latest version of Joomla (and all the plugins that you have).
And correctly put down the rights to the folders - in those folders that the web server can write to, you need to prohibit the execution of PHP files:
php_flag engine 0
in the .htaccess file in these directories.

F
FedLab, 2013-03-17
@FedLab

I think you have DLE, I met this ... check the site files for redirects.
If DLE - look in index.php, engine/data.config.php for something with "Location:" - you will find - it will be noticeable that it is someone else's.
the redirect can be in the page header - php gives the header indicating the redirect

N
Nicholas, 2013-03-17
Sumrak @NikolasSumrak

Track which page the redirect is originally going to, and then search through all project files with that url.

V
vinograd19, 2013-03-17
@vinograd19

look at the meta tags

Z
zizop, 2013-03-17
@zizop

There is such an option.
Because there is a redirect for mobile platforms, then with a high degree of probability the name of the platform will appear in the code. Helped me in a similar situation

grep "android" -r ./

Well, of course, if you do not have a site about android :-)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question