Adult Web Sites Pop up when visitors browse websites that are hosted on server

Portal Home > Knowledgebase > Articles Database > Adult Web Sites Pop up when visitors browse websites that are hosted on server

Posted by jonMEGA, 08-20-2013, 01:05 PM
I've had two different website account owners report that they have random adult websites pop up when they themselves browse their site or when other visitors browse their site. I spent a lot of time trying to visit different pages on their sites to see if I have the same issue so I can further investigate it. I'm running Cpanel 11.38.2 CSF and LFD are installed and have scanned for rootkits but there isn't any. Do you know what the issue might be? What tools can I use to find the problem? I asked these folks if they have any issues with malware on their local computer and they claim to be clean saying the only issue is that these websites will pop up from time to time. Any help to fix this embarrassing problem is appreciated.
Posted by HiveNode, 08-20-2013, 01:10 PM
Run their sites though http://sucuri.net/ and see what comes up.
Posted by jonMEGA, 08-20-2013, 01:19 PM
No issues reported with either site on sucuri.net Last edited by jonMEGA; 08-20-2013 at 01:28 PM.
Posted by LankapartnerHost, 08-20-2013, 01:32 PM
You may need to check your web pages coding as well and did u add any counter or simillar addon to web pages ?
Posted by jonMEGA, 08-20-2013, 01:39 PM
No counters. One of the sites is running Magento and the other is a new account running WordPress 3.6. The wordpress site was just installed last week.
Posted by HiveNode, 08-20-2013, 02:10 PM
Can you post the links
Posted by jonMEGA, 08-20-2013, 03:37 PM
I'd rather not post them here, but if your interested I can PM them to you.
Posted by WPCYCLE, 08-20-2013, 03:40 PM
Here is what you need to do...not a full remedy since I do not have access, but a good start; 1. you or request the host to change your password 2. use a character generated password like 39dhdkjbf043&*&%$ 3. Re-install WordPress with clean files 4. Look in your htaccess files for anything that shouldn't be there. If your not sure, ask the host to look into the file 5. load a clean copy of your theme Let us know if any of that helps. THEN; 6. add security plugins (firewall, secure, loginlockdown) 7. delete not needed or deactivated plugins 8. delete ALL themes your not using, BUT leave one default theme, which is now TwentyThirteen. Let us know how it goes.
Posted by jonMEGA, 08-20-2013, 03:51 PM
I can take a look at the htaccess files on the server, but every time I look at the site for issues I don't experience the pop ups. I'm pretty sure it's not malware either on the visitors machines doing this since its different users and visitors and they report seeing it from Windows machines, Mac machines and different tablets (iPad and Android phones). Every time I look though I don't have any issues.
Posted by WPCYCLE, 08-20-2013, 03:54 PM
Malware can be hidden in theme, or anywhere within the site, and loaded to the visitors computer. Every computer will treat the site differently depending on their security setup...which could lead to google blocking the site. I forgot to mention, scan your computer too.
Posted by Atlanical-Mike, 08-20-2013, 03:57 PM
On of my mates has this on his hosting24 account, visitors on mobiles / tablets redirect to adult sites or google, he has a wordpress... Oh and they don't have ClamAV for him to scan.
Posted by WPCYCLE, 08-20-2013, 03:59 PM
Can you ask the host if they have maldet, scurri, or an equivalent scanner to check your account.
Posted by Mr Terrence, 08-20-2013, 04:01 PM
You may have some bad codes running on that account.
Posted by jonMEGA, 08-20-2013, 04:02 PM
But for this basically brand new install and client using a fresh copy of Wordpress is having issues. The other client is having the same issues with Magento. This makes me believe that there is something on the server or in the config somewhere serving up these pages to visitors. Could Apache do this? Named? Bind? htaccess?
Posted by HostingCraze, 08-20-2013, 04:04 PM
I had the same issue. Check the URL given below. It should help you http://blog.sucuri.net/2013/04/apach...d-servers.html
Posted by Steven, 08-20-2013, 04:05 PM
You may be a victim of one of the new apache based malware like darkleech: http://www.pcworld.com/article/20436...-campaign.html
Posted by Mr Terrence, 08-20-2013, 04:20 PM
So the servers have to be compromised first before this can be installed?
Posted by jonMEGA, 08-20-2013, 04:23 PM
I ran the grep command that they mentioned in the article and here is the results: root@imega01 [~]# grep -r open_tty /usr/local/apache grep: /usr/local/apache/logs/fpcgisock: No such device or address Binary file /usr/local/apache/bin/httpd matches
Posted by Vernard, 08-20-2013, 05:04 PM
There are two scenarios here. A.) Your customer can be the one with malware on their PC. Just to make sure, I'd recommend them to run a malwarebytes scan & postfix scan. B.) The affected sites have been injected with a malicious redirect. Check all your .htaccess files to ensure no redirects are in place. Usually hackers like to place them at the very bottom of the file or in the middle. To make sure use SSH to view them rather then the cPanel file manager. Most of the time, hackers encode their malware. So running the following command can help you find files that utilize base64 encoding.
Posted by Silvatech, 08-20-2013, 05:46 PM
did a trace route, I have not seen that bad of a trace route in a long time. 25 hops, I deleted the routes inbetween. 9 * * * Request timed out. 10 * * * Request timed out. 11 * * * Request timed out. 12 * * * Request timed out. 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. Interesting traceRT, Last edited by Silvatech; 08-20-2013 at 05:55 PM. Reason: Edited out his infomration incase of bots ETC ETC.
Posted by Steven, 08-20-2013, 07:35 PM
That is Correct.
Posted by Steven, 08-20-2013, 07:36 PM
You are likely compromised, at the root level. A simple clean up job will not be possible, you need to find out how you were actually compromised. My guess is an outdated kernel exploited through a vulnerable php script. Rkhunter / Chkrootkit do not detect all rootkits. You may also have a openssh rootkit, this is common with these types of compromises. Last edited by Steven; 08-20-2013 at 07:40 PM.
Posted by Yujin, 08-20-2013, 09:37 PM
Quick solution: If you believe that your codes are clean. Migrate the website to a temporary server (clean and updated of course). If you're currently using VPS then clean it up, if this is shared and your provider is ignoring you - leave them permanently.
Posted by HostingCraze, 08-21-2013, 02:09 AM
This result shows that your server is compromised. Your apache binary had been modified by the hacker. Best option would be OS-reload your server and restore your accounts from backups. Do you had raid enabled for this server?
Posted by WPCYCLE, 08-21-2013, 02:22 AM
If the host cannot help, leaving might be an option, BUT you will possibly just carry the issue to your new host. How long have you been with this host. Are they one of the popular ones? The one issue that might arise, is whether the host will help clean up your files. Some will (free or extra fee), some won't. If your not trained in cleaning your files, you might have to hire someone to look into it....and this includes your site files, and any/every client that has access to the account files.
Posted by Steven, 08-21-2013, 11:07 AM
They still have to audit the server first and figure out the way it was compromised.
Posted by HostingCraze, 08-21-2013, 04:00 PM
Yea, I do agree with that. But it is little bit time consuming process and would be tough to pin point that.
Posted by Steven, 08-27-2013, 05:02 PM
So you rather get compromised again rather than find the cause?

Add to Favourites Print this Article