Yet another Javascript redirect

Google Safe Browsing Warning PageThis article is not really a rant but rather an alert for any that is currently Googling this. I have found on a few websites that I hosted on an older system had random PHP script inserted into the start of the index.php file.

The code below is what is being inserted into index.php files. So far I have not seen it attack any other pages.

However with that said, lets see what this PHP code is doing and hopefully what you can do about it.

As you can see this is clearly just a encoded PHP script – much like the same I do on Can you work it out. So if we just decode it, we now get what the server is actually executing.

As you can start to see – it is not starting to look like a nice bit of code anymore. Basically what this code is doing is avoiding search engines and only showing its links to real actual users. You can see this by the first bit of the command that is searching for the user agent from well-known search engines and if they are the ones that requested the page, then to skip that user.

As you can see, there is another base64 code in there. So what happens if we decode it again.

As you can see it is embedding Javascript. Now I have been too lazy to actually read the Javascript to work out what it is doing (a quick look at it shows it is redirect legit users of a website) but I will do so at another time. Now chances are you have found this article due to getting attacked by this so lets talk a little about clean up.

I personally would advise to replace ALL of your website with fresh new files from backups you “should” be making. I am betting that you have tried to remove the code from index.php only for it to come back a few hours later. The reason for this is a back door has been created into your website where a script is running every few hours which is replacing this code and also updating it for new websites to redirect your legit users too.

Sadly however I am unable to tell you which files they hit purely because it is mostly random. Instead if you have access to anything that can search files you are able to find this out for yourself. While there are many reasons to use the follow commands, if you do a search for them you will find the files it is using.

Once you have found these files then remove them and as long as you got them all – it will not come back yet. Then make sure to upgrade every script you are using such as if you are using WordPress then to upgrade to the latest, including all of its plugins etc. Then make sure to change every password such as FTP (although you should at the very least be using sftp), SSH, MySQL Databases and the likes.

Should it pop back – the problem is bigger then that and you should go running to your hosting support. If you are on shared hosting and it keeps happening after upgrading everything, changing all passwords etc then it may be time to look for a new web host – the problem is quite likely with them and not you.