HACKED** MY SITE REDIRECTS TO THE CHURCH OF SATAN... I NEED TO FIX ASAP!!

[moneymic313]

Please go to my page and tell me how to remove the auto redirect that somehow is on my site...???

http://www.detroithiphop.com/aindex.php


any help you can provide please do so... And how did this happen and what can I do to avoid this in the future???


thank you..

MM

[wwfc_barmy_army]

Try posting the code for the index page so we can check it out.

[trq]

Im thinking this is spam, I dont see any redirect. Anyone else? Of course hip hope could quite easily be classed as [i]church of satan[/i].

[wwfc_barmy_army]

[quote author=thorpe link=topic=110382.msg446064#msg446064 date=1159891738]
Im thinking this is spam, I dont see any redirect. Anyone else? Of course hip hope could quite easily be classed as [i]church of satan[/i].
[/quote]

I am getting redirected.

[steveclondon]

i didn't fancy going to prey at the church of satan anyway.

[moneymic313]

That is the problem ... not sure where this is coming from.. it is nowhere to be found on my aindex.php file..

Please advise..


MM

[wildteen88]

This is not spam thorpe. As I am being redirected to the hell site. If I click the stop button in time I am not redirected. It only seems your index page is being affected. I can browser oither pages without being redirected.

[trq]

[quote]This is not spam thorpe.[/quote]

Ok.... soz. Its not redirecting in firefox.

[roopurt18]

Open the source in each of your directories a few files at a time and use your editor's "Search in Files" feature for the redirected URL.  If it doesn't turn up look for calls to the function header.

Can we rule out .htaccess redirection because the initial page loads?  I don't know enough about web servers to make that call.

[roopurt18]

Also, I loaded the page and had to hit stop.  I didn't find any javascript causing the redirect in the source I received, but that doesn't mean it doesn't exist somewhere at the very bottom of the page.

[moneymic313]

fyi I actually renamed an old aindex.php file from a few months ago to the main aindex.php and replaced it and it still redirected me..

I did a search on the entire aindex.php file for satan and churchofsatan and www.churchofsatan.com and nothing showed up..

[wwfc_barmy_army]

[quote author=thorpe link=topic=110382.msg446073#msg446073 date=1159892180]
[quote]This is not spam thorpe.[/quote]

Ok.... soz. Its not redirecting in firefox.
[/quote]

I'm using firefox and it redirected me.

[steveclondon]

I disabled javascript in my firefox browser using the dev toolbar and it still diverted me

[trq]

[quote]I'm using firefox and it redirected me.[/quote]

Well Im in Linux so Ive got no flash. Any chance the redirect may be occuring in your flash stuff?

[steveclondon]

replace your index page with another blank page named index to make 100% sure there is nothing in the code. I don't think there is but this will make sure.

[moneymic313]

i replaced the aindex.php with a blank file and nothing happened.. No redirect.. So it is in the aindex.php I assume???

[FrOzeN]

[quote author=thorpe link=topic=110382.msg446087#msg446087 date=1159892617]
[quote]I'm using firefox and it redirected me.[/quote]

Well Im in Linux so Ive got no flash. Any chance the redirect may be occuring in your flash stuff?
[/quote]
Bingo! That also occured to me so I did a quick search for ".swf" and found this:
http://www.detroithiphop.com/images/mainpage/dhh.swf

I opened it in hex view found the link "http://www.churchofsatan.com" redirecting to "_parent". Simply remove it and your page should be back to normal. :)

[EDIT] [s]Also, check for other ".swf"'s I didn't get around to that as you changed the page to a blank one.[/s]

[moneymic313]

how do I view .swf in hex view???

[FrOzeN]

Don't worry as all you need to do is delete the file "/images/mainpage/dhh.swf", and remove the code:
[code]<embed src="/images/mainpage/dhh.swf" hidden="true">[/code]

--
I did a check on the other .swf files, it's the only offending one.

[michaellunsford]

Now the more powerful part of the question, how to prevent this from happening again?

I have been very fortunate to not have had this problem yet, but it lurks ominously in the shadows as a very real possibility. The problem is compounded by the fact that no one wants to publicly post how to test your website because some idiot will inevitably use the information to break someone else's. So, the question persists: how do you ensure your website is relatively hacker resistant?

[FrOzeN]

A start would be to have a look over http://phpsec.org/projects/guide/ and see if any of the risks relate to your code.

[moneymic313]

Thank you everyone who helped with this... Honestly that was a fabricated .swf file that I did not even create or use..

So is this just changing and making my login info different and harder to figure out or is it more than that..??


Unfortunately though there is another issue on my side.. All of the links in my links section have been changed to the same url www.churchofsatan.com.. This is obviously a little different issue that I am sure is not quite as easy to fix...

If anyone has any suggestions on that as well please let me know..


Once again thank you all..

[michaellunsford]

Is this even a PHP issue? I'm thinking if someone placed a SWF file on the server, they had ftp access at the very least. So, how do you protect against that?

[quote author=FrOzeN link=topic=110382.msg446115#msg446115 date=1159894157]
A start would be to have a look over http://phpsec.org/projects/guide/ and see if any of the risks relate to your code.
[/quote]

[FrOzeN]

[quote author=michaellunsford link=topic=110382.msg446124#msg446124 date=1159894889]
Is this even a PHP issue? I'm thinking if someone placed a SWF file on the server, they had ftp access at the very least. So, how do you protect against that?
[/quote]
Not sure. But it seems to be back, so either the hacker just re-added it (unlikely), or there is some form of script that put the file back, which could be a php script. It'd be best just to go over all these factors so you can determine how it happened.

If you have a CPanel, or something similar. Check the ftp logs to see if someone actually uploaded the .swf file.

[michaellunsford]

If it is PHP doing the deed, you might use your ftp program's synchronize feature to see what files are different on the server than on your local machine. That might help find the offending code (since it's probably buried inside an existing PHP page someplace).

Please report back what you find, if anything. I'd also enlist the ISP help. It is highly likely that anyone with the wherewithal to get into your domain would also be able to cover their tracks, but it's worth a look.