First, here is the main website http://prestigesolar.net/
I just got an email saying “hey this link is going to some other place and its not supposed to do that, please change it to the correct page link “
The link in question is, well if you visit the site above and scroll down, you’ll see 3 columns. The problem begins on the first left column where it reads ” Hurricane Resistant Windows & Doors “
When you mouse over the image/header/”read more” links they all point to the seo friendly link like so ( prestigesolar.net/Hurricane-Resistant-Windows-Doors ) etc. But when you click it, it goes to some spam site.
Also when that spam site loads, the url on the address bar reads the same as the SEO friendly link of where the page is originally supposed to go to.
I go in and look at the link and its hard-coded in a WordPress manner like so
<a href="<?php bloginfo('url');?>/hurricane-resistant-windows-doors">
and still leads to the spam site. When i manually changed the link to point to google like this <a href="https://www.google.com/"> it still went to the spam site.
I went to the .htaccess just to peruse and saw nothing there aside from the normal. (see below)
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
I then went into the page itself on the WordPress side of things, looked in the HTML tab and nothing. just text and a few normal p tags etc.
I then downloaded the page and single.php files and they’re super simple. nothing in them.
simple includes of the footer/header/sidebar files.
I searched through those 3 (footer/header/sidebar) and nothing out of the norm.
on a SIDE note, when i manually go to that page via WordPress back-end and click the “view page” button, the page opens like normal. If i then navigate to another page and hit the back button to navigate back to the page, it too loads like normal. If i copy the url and in another browser paste it and visit it, it loads normal. Its only in the transition between the click to that page from the homepage that the hijacking is taking place.
Ive been at this for a little while trying to figure it out but I’m out of ideas. Can someone point me in the right direction??? Any help, hints, ANYthing i humbly appreciate.
Thanks in advanced.
It looks like you have two different pages there (two different URLs) one has been overwritten (or created) with this spam HTML and actually exists on the
prestigesolar.netserver (so no redirect involved).The faulty page is at:
http://prestigesolar.net/hurricane-resistant-windows-doors
Where-as the correct page is at:
http://prestigesolar.net/hurricane-resistant-windows-and-doors
The difference is the
-andpart.If someone has manged to write an unwanted page to your server/site, it’s probably a good idea to change your wordpress log-in and any other passwords that might be involved, and to make sure you delete the offending additional pages.
update
Unfortunately without more information on your specific set-up it is a bit difficult to say what is going on, assuming you are using the bundled version of WordPress (i.e. the installed version not wordpress.com) it would seem that the attacker has actually gained access to your server by way of FTP or SSH, this hypothesis is reaffirmed if you can see nothing of this spam content when using the WordPress admin panels.
From looking at the source you need to search your server for the following files and directories:
Assuming you have SSH access and your server is running a Linux flavour you can search your entire web directory using the following command:
Replace the slash with your webroot folder, and the “quoted” section for what you are searching for i.e. “garca”. The above hopefully should track something down, if not, it could be because the attacker has masked the files either by
.htaccess(which you have already checked) or by something even more worrying, i.e. modifying yourapache.conf.Other than the above I don’t know what else to suggest, change all log-ins, and if you are using a particular web host possibly let them know as the security hole might be due to software that they have installed elsewhere. You should probably also upgrade your version of WordPress as new security holes are discovered in that kind of software all the time.
Good luck with it.