Links got hijacked, any solution?

[cilembu]

So, from reports from my users, now I realized that some of my links got hijacked, it redirects to some other files on some filehosts.

I am using the autoclickable script I found on KWWH for making the links.

I have been trying to look for the cause, and I even fresh installing my wordpress script, disable plugins, but it seemed useless.

Any solution to track or possibly prevent this?

Thanks in advance

cilembu Reviewed by cilembu on 12th Jan 2011. Links got hijacked, any solution? So, from reports from my users, now I realized that some of my links got hijacked, it redirects to some other files on some filehosts. I am using the autoclickable script I found on KWWH for making the links. I have been trying to look for the cause, and I even fresh installing my wordpress script, disable plugins, but it seemed useless. Any solution to track or possibly prevent this? Thanks in advance Rating: 5

[__Doc_]

I'm going to help you because your site is VERY relevant to my interests and I plan on touching myself within minutes of this post

have you checked your HTACCESS for redirect code?

[Mr Happy]

Can you link us to an example post that redirects. We'll be able to see if it's javascript meta refresh or if it's a php or htaccess one.

Their are many different ways to redirect so we need to see an example page.

[cilembu]

Thanks for the reply mate,
yes I have checked the htaccess file, no redirects there

[cilembu]

Here is a sample:

http://javaddiction.info/?p=6654

notice that only 2 last links are hijacked, it is the same with other links, and yes, I have deactivated the plugin, checked my autoclickable js script also with no luck

[Mr Happy]

That's really really weird

PHP Code: 

<div style="text-align: center; margin: 0px;"><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://hotfile.com/dl/95111708/5efffbe/Prince.of.Persia.The.Forgotten.Sands.PAL.MULTI.WBFS.WiiERD-ATeam.part02.rar.html ">http://hotfile.com/dl/95934165/9207848/javaddiction.STAR250.avi.html</a></span></div> 


It's not a javascript or htaccess problem. It's a php problem. If you are not doing that on purpose when your writing the topics then their is a serious weird bug someplace. Can you try editing the topic. What is the bb or html code you see?

[cilembu]

I'll be damned,
you were right, I saw it also in the edit post pages must be injected there when I click post. It is the php. I will look into it mate,

Thanks for the suggestions!

[cilembu]

OK, just a heads up report,
I cannot fix the injected links due to its embedded to the post tooo many to fix one by one, however I found the source of the problem, so hopefully it wont happen again in the future.

For some reason the hacker manage to upload a php file, named sql.php, it might be injecting the post database or altering my post when I clicked publish. The codes there are secured codes, so I cannot read it and dont have time to encode it . So I just deleted the file.

For those who are interested in the file, I am sorry, in the brink of myself, I hit the delete button, I should have save it for reference.

Thanks for all the help mates!!

[Mr Happy]

OK, just a heads up report,
I cannot fix the injected links due to its embedded to the post tooo many to fix one by one, however I found the source of the problem, so hopefully it wont happen again in the future.

For some reason the hacker manage to upload a php file, named sql.php, it might be injecting the post database or altering my post when I clicked publish. The codes there are secured codes, so I cannot read it and dont have time to encode it . So I just deleted the file.

For those who are interested in the file, I am sorry, in the brink of myself, I hit the delete button, I should have save it for reference.

Thanks for all the help mates!!

What a clever hacker. It's a pitty you deleted it. We could have decoded it as it may have some include 'file.php'; which would let you know if other alien files are on your server. This sounds like a incredibly clever hacker and most likely he's left other measures to gain access to admin if needed in future etc.
You may want to consider deleting all files and reuploading them and re-uploading any plugins or modules as well obviously making a backup first. If it was done automatically when you published then you'd need more code to include the sql.php file so I doubted the sql.php is the only file.

Anyway it's good to see you found the problem.