Last week Denise Griffitts; of Your Office On The Web, emailed me about someone who had a crazy sounding problem.
“My mobile visitors are going to a X-rated site!! But not all the visitors and you can reload and sometimes go to the right site and sometimes you get redirected!!”
Her web hosting was very helpful. They looked through the website and found malicious codes and fixed it. But then after a few days it would reappear.
It’s never good for a business website to be redirected to an “adult website” but this problem that kept reappearing made it even more disturbing.
Fortunately, I have multiple programs that I used to help me find the issues. Some pages the programs will clean. Some require my review. Some require pulling a line or two of code out of a page that otherwise is part of WordPress.
What was wrong?
All total the hackers had injected over 30 backdoors, over a dozen IFrames Injections, over a dozen malware strings and over two dozen other malware injections. I added over a dozen files that helped protect her website from other injections and am monitoring her websites for an additional month to make certain there are no other issues.
Of course you know that all those things are bad, but what do they actually mean?
Once a hacker finds or makes a backdoor, he adds more. These backdoors give him access to your website and allow him to add malware, redirects and other crazy things to your website. Basically think of this as someone building secret doors into your house.
But why does he create so many? If you should find one or two and delete them, he still has access.
But that isn’t the only trick up his sleeve. When hackers find a backdoor via a program they will create more backdoors and make a note of the website. The program may fix that “leak” but the hackers still have access. And so you don’t know how they gained access, they may wait, and start attacking weeks even months later.
Sometimes the best way to hide is by confusing users. This relies on what is called multiple levels of obfuscation. This means code hidden in code. To the common user, this looks like a jumble of complicated coding, so they decide, “well, I guess I need this” and leave it.
So you would have to use a program that decodes this jumbled up code to see the actual function of the code. And even then it may have hidden purposes.
This was actually the trouble maker for her website. This caused her mobile users to be redirected to other websites.
But what is an IFrame Injection?
With this attack, the hacker injects an IFrame into websites and web pages. They can put another website into your own website. This means your website could be displaying another website on it. It could be injecting advertisements. In either case the visitors could be seeing your website with something you don’t want on your website!!
HOWEVER, not all IFrame Injections are bad. IFrames are used to embed videos, Google Adsense and other programs. This is part of what makes it so difficult to track down.
Sadly there are so many other types of malware that it would be impossible to list them all. However the two above and the backdoors are bad enough.
What caused this?
Turns out that the issue was related to her using Optimize Press, which is a common tool used by business owners who have WordPress websites. In fact here is the very article she sent me.
Avast addresses the “WordPress Vulnerability that puts Mobile Visitors at Risk“
Soon after I posted this article on Facebook, another client emailed OptimizePress then emailed me about how misleading the article was.
This states that the security flaw was in OptimizePress 1, and it was quickly found. If you deleted OptimizePress 1 and upgraded to 1.6 or at least deleted the certain files and reloaded the newer files your issue would be fixed.
Yes. My other client and OptimizePress are right it was fixed.
No, the Avast article didn’t address which version.
However this is not the only issue. OptimizePress had the leak and while it was only a week long, even a very vigilant WordPress updater may not be checking on their website daily. Thus an update may sit to the side for days or even weeks. But even a few days is more than long enough for a hacker’s program to find multiple sites with a backdoor and add more backdoors.
Yes, updates are important.
You update your computer to help keep hackers out of it. You also need to keep your website (WordPress, Joomla etc…) and all plugins and themes updated to reduce security leaks. However just keeping your website updated may not keep you safe.
Real World Example
You have locks on the doors of your house. You probably have at least two kinds. There are regular key locks, deadbolt locks, chain locks, latch and bolt and more. You may give your key to someone, so they can check on the plants. But what if that person tells a less that reputable person? What if that person makes a copy of your key? They may not break in right away.
While that analogy is closest to the issue of backdoors, that’s not the only weakness in your house. What about that bathroom window you never lock? What about the attic access? As a homeowner you do what you can to make your home look “less tempting.”
The same is true for website owners.
The hackers could have gotten in while the issue existed. The hackers could have gotten into your website through different means.
I can help!
If you have issues, contact me!
Your websites are an important part of your business and I can help! Contact me at mj @ mediaguardgroup . com
I know many users of OptimizePress have several websites and I can offer you a package rate.
Want to sign up now?
Or want to know more about the services that can help your website?
- Website Rescue – $180 Removal of Viruses, Hacking and Malware
- WordPress Hacker Guard – $347 this reduces possible leaks in your WordPress Website
- WordPress Hacker Guard Plus – $597 with a year of monitoring and weekly backups
- Want monthly maintenance, updates, security, backups and more? Contact me.
And if someone referred you, please let me know who.