-1

I coded my own website and uploaded to a host. Some days ago I realized that in front page suddenly redirects to an unknown websites, until 3-4 redirects.

The redirects ends up at: http://59016823.g05.info/?p=NGNmN2JjNTYyNmIwMGE3YTU5MjgzNmNiOWNjOWMzNGF8MXxEaXJlY3RMaW5rfFRYbFBZbVoxWTJGMFpTQkNiMlI1VEdGNVpYST18MTAwMHw1OTAxNjgyMw==

  • Reinstall from scratch. Make sure to upload only known good code (latest version of all software with all security updates applied, secure configuration restored from known good backups). Did you have a question? – Gilles 'SO- stop being evil' Sep 01 '14 at 07:48

1 Answers1

2

The latter part of the URL query is a base64 string that resolves to somthing encoded:

4cf7bc5626b00a7a592836cb9cc9c34a|1|DirectLink|TXlPYmZ1Y2F0ZSBCb2R5TGF5ZXI=|1000|59016823

Virustotal does report the site as a "Malware Site".

https://www.virustotal.com/en/url/a9cb3cf6e43d2aa16485674a43128473493c66d1c3fad41534f373aeaf251c8f/analysis/

You should look into your web server logs to figure out how/when this code got injected in the first place. Is it because your sever is compromised or is it because you are using some vulnerable plugin ? is it because of malvertisement ?

A proper look at the codes and a complete clean-up would be required to avoid any future infections.

abhinav singh
  • 121
  • 1