Site Redirects To Porn on Mobile Devices

Home Forums BulletProof Security Pro Site Redirects To Porn on Mobile Devices

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • June 11, 2014 at 6:29 pm #15527
    Inger
    Participant

    Hi

    I’ve recently installed BPS Pro an another of my web sites but was notified that the site redirects to porn on mobile devices.

    What should i do to weed out the code that is causing this?
    Cheers
    Inger

    June 11, 2014 at 6:40 pm #15528
    AITpro Admin
    Keymaster

    First you need to find out if you really have a problem or that is really occurring.  In other words, before you start digging around/wasting your time you need to verify yourself that this really is occurring.  The first question that pops into my head is why would the site only redirect on a mobile device, the following questions are is the mobile device hacked or hijacked and there are several other questions that should be answered before assuming that the problem is really occurring and that it is occurring on your website.

    The Forum Topic Link below has a link to a website that has online mobile device emulators so that you can simulate visiting your website as if you are using a mobile device.

    http://forum.ait-pro.com/forums/topic/mobile-device-security-log-entry-mobile-device-tester-mobile-device-emulator/#post-14822

    June 11, 2014 at 6:58 pm #15532
    AITpro Admin
    Keymaster

    I checked this site:  creatingthestory.com with iPhone, iPad, Mobi and some other simulators/emulators and the site does not redirect to a porn site.  Tell your friend that their mobile device is probably hacked/hijacked and to lay off sniffing glue and visiting porn sites.

    June 11, 2014 at 8:16 pm #15538
    Inger
    Participant

    Well thanks for getting back so quickly. I checked it myself on my own mobile and yes it does redirect to instabang.com via a number of other sites. And no I’m not in the habit of either sniffing glue or visiting porn sites. So what now?

    June 11, 2014 at 8:27 pm #15539
    AITpro Admin
    Keymaster

    That is not happening for me from my mobile device or any of the emulators that I used to check the site so I don’t know why that would be, unless you originally checked with your mobile device and your mobile device is hacked/hijacked.  After you have confirmed that your mobile device is not hacked/hijacked then I guess check your root .htaccess file to see if there is any .htaccess redirect code that redirects by user agent or IP address in your root .htaccess file.  I also scanned the site with my scanner and the Sucuri SiteCheck scanner and the site is clean by both scanners.  Not sure what else to tell you here since the site appears to be clean.

    June 12, 2014 at 12:54 pm #15565
    rafaelmagic
    Participant

    Yep, its ONLY redirects on mobile. Do you have a separate Mobile Site with WP-Touch

    Do this:
    Change your Passwords
    Update ALL plugins and themes, WP Core.
    [suggestion removed]
    [suggestion removed]

    June 12, 2014 at 1:28 pm #15569
    AITpro Admin
    Keymaster

    @ rafaelmagic – thank you for the suggestions, but a couple of them were removed.  Thank you again for the suggestions.

    @ Inger – Ok at this point the site still does not redirect for me on my mobile device, but I would like to log into this site to see if there is something that my mobile device, my scanner and the Sucuri SiteCheck scanner are all missing/not detecting.  I also need to know the history of this website.  Has this site ever been hacked before?  If so, when was it hacked?  Please send an Administrator login to this website and the answers to my questions to edward at ait-pro dot com.

    June 12, 2014 at 6:05 pm #15577
    AITpro Admin
    Keymaster

    Logged into your site at 5:32pm.  Logged out of your site at 5:58pm.

    I installed the most current version of BPS Pro and added some BPS Pro Bonus Custom Code.
    Your Plugin Firewall needed some additional whitelist rules so I added those.
    I scanned your site with the BPS Pro Pro-Tools DB String Finder and String Finder tools – no malicious code was found.
    I manually checked all .htaccess files – no malicious code was found.

    The only other logical explanations are that either this is a drive-by thing, the redirects are loading from one of the many 3rd party links that you have loading on your website or the redirect is occurring at the CDN or Cloud level.

    You should setup the new JTC Anti-Spam/Anti-Hacker security feature that was added in the more current version of BPS Pro that I upgraded you to: 8.3 on your site. 9.0 comes out in the next couple of days.

    June 12, 2014 at 6:13 pm #15578
    AITpro Admin
    Keymaster

    If I could see the redirect happening I would be able to trace the source, but after scanning the site with my scanner on steriods, using internal Pro-Tools, using other scanners, using my mobile device, using numerous emulators and simulators I have not seen any malicious code or the redirect.

    I am pretty good at logical guesses and I think that if something fishy is going on it has to do with this…

    My best guess is it has something to do with this: You have an Ad link to this external Flash website loading on your website: creative.prf.hn
    Flash can be hijacked fairly easily if it is not very well secured. If the Flash site is being hijacked/manipulated and you are linking to it then your site is vulnerable to whatever exploit has been done on this site. This is all just speculation and logical guesswork, but I noticed that the Harry Potter site’s Flash is not secure at all and what was downloaded to my computer set off all kinds of alarms with my anti-virus and other security software installed on my computer. So most likely that 3rd party site using Flash dangerously is where the source of the problem is. Since you are loading this 3rd party site on your site your site can also be manipulated/exploited.

    http://creative.prf.hn/source/screativeref:325052?clickTag=http%3A%2F%2Fprf.hn%2Fclick%2Fcamref%3A11l3kR%2Fcreativeref%3A305904%2Fscreativeref%3A325052&clickTAG=http%3A%2F%2Fprf.hn%2Fclick%2Fcamref%3A11l3kR%2Fcreativeref%3A305904%2Fscreativeref%3A325052&clicktag=http%3A%2F%2Fprf.hn%2Fclick%2Fcamref%3A11l3kR%2Fcreativeref%3A305904%2Fscreativeref%3A325052&root.clickTag=http%3A%2F%2Fprf.hn%2Fclick%2Fcamref%3A11l3kR%2Fcreativeref%3A305904%2Fscreativeref%3A325052&CJclickTag=http%3A%2F%2Fprf.hn%2Fclick%2Fcamref%3A11l3kR%2Fcreativeref%3A305904%2Fscreativeref%3A325052

Connection     keep-alive
Content-Type   application/x-shockwave-flash
Date           Fri, 13 Jun 2014 01:15:47 GMT
P3P            CP="NOI DSP COR PSAa PSDa OUR IND UNI"
Server         nginx
Transfer-Encoding       chunked
    June 12, 2014 at 6:56 pm #15580
    Inger
    Participant

    Thanks Edward

    Really appreciate your help with this – above and beyond the call of duty.  I have removed flash ads and am hoping this will work. Thought, as it came from a reputable source, it would be fine but like most things concerning the internet, obviously not.

    Cheers
    Inger

    June 12, 2014 at 6:58 pm #15581
    AITpro Admin
    Keymaster

    Yep, no problem and I just confirmed that that site’s Flash has an XSS Vulnerability that I was able to exploit.

  • Author
    Posts
Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.