Hacked? My site randomly redirects to a malicious site when clicking on any random link

[Richieh]

My site has been hacked?

 

it seems like a conditional redirect hack, but I'm not too certain. At random times when clicking on any links it redirects the customer to an adult site. It comes and goes, so it is hard to reproduce the issue. I have spoken to the hosting company, and even they could not trigger the issue and had been of no help thus far. And I've scoured the internet and forums looking for possible solutions.

 

Since the attack, I have changed all passwords - ftp, database, prestashop.

 

I have tried to look at all the possible files it may have been modified including. htaccess and I still have no luck. Any advice would be greatly appreicated.

 

 

 

[BarryH]

Any chance it is localized to just your browsing machine? Are you seeing the same behavior from multiple browsers and/or multiple machines?

[Richieh]

I don't think it is localized. the customer that notified me told me on both his home desktop, smartphone and his son's smartphone all came up. My manager who tried it at his own home also had the same result on his phone and tablet. They also notified me that it didn't always redirect from the same link. I have personally tried to pull the same results on all major browser on the desktop including my own smartphone but did not connect me at all.

[Dh42]

It is going to be very hard to tell without a link to the site. 

[Richieh]

link to the site is totowaairsoft.com

[Dh42]

It does look like it has been hacked. Do you have a backup of the site? 

[bellini13]

I was able to get redirected once after clicking the airsoft guns link from the menu.  However it only occurred once, and I tried many different links and pages and it never occurred again. 

 

So I was not able to catch any of the http responses to see where the redirect was occurring.  You'll need to trace if it is a bit of javascript code being executed, or something within the core coding

[Richieh]

I do have a backup from a few months back. We haven't decided yet if it is better to wipe everything and upload the backup. 

It still would be good know for future referencing should it ever ( hopefully never ) happen again.

 

In terms of tracing, I'm not sure how to do it. I've tried looking through many of the the possible main core files it may have infected, but i'm literally in the dark.

[DotMedia]

Hi Richieh,

PM me if you'd like me to take a look.

[musicmaster]

You could try looking in FTP at the date of your files. If some have a suspiciously new date you could replace them with a backup.

 

However, I have also seen hacks were hundreds of files had been changed. So this may not work in all cases.

[Richieh]

i did try looking at the ftp date also junst in case and there was nothing absolutely recent that had been modified, unless they also somehow changed that??

 

I'm going to take a look at the date again to see if i missed something.

[El Patron]

if you have recent anti-virus on your computer then download using ftp your files to see if anti-virus detects bad file.  this typically works.  look in /js/ folders first for any updates.  check that you have 755 folders and 644 files (.665 .htaccess)...good luck!

 

in the future you can use this module to email you when file/file date/file permissions change.

http://www.prestashop.com/forums/topic/303132-module-prestavault-malware-trojan-virus-protection/

[Richieh]

I'll try that and see if it works out.