I’ve decided to rewrite this article in English as many people seems to have the same trouble, but is very hard to find the solution. If you want this article in Japanese, click here. この記事の日本語版 “ワードプレスサイトが検索エンジンから来ると自動的に転送されてしまう症状” は左記リンクをクリックして下さい。
The beginning of this matter was when I googled my own site and clicked on it, it gets redirected to a “googesearch.biz” domain
At first, I thought that my PC got infected with a virus. But when I directly typed in the URL, it does not get redirected at all. Well, very clever. Anyway, I didin’t know what has caused this matter, so I cut my PC from the web and made a virus check, waited the entire night. But nothing.
After when the site got redirected successfully, it gets redirected again to another site.
The process are as follows:
- When an infected site gets searched in a search engine such as google, and the user clicks on it,
- and the infected site loads partially, or loads entirely, it gets redirected automatically to an URL address starting with “http://googosearch.biz”.
- Furthermore, when the “http://googosearch.biz” site loads successfully, it redirects to another site, at which my time was a sweepstakes site.
- If the “http://googosearch.biz” site does not load successfully, it just stays on that website that looks like a google site that looks a bit old.
The “googosearch.biz” domain gets redirected to the IP address of “18.104.22.168”. This IP address is for “googosearch.biz” and it redirects everything from what it get searched such as from google
This time, the search term of “802.3at” has been used to search Ragnite Blue in google.
After, when the the website gets successfully redirected, it gets redirected to the URL similar to below.
But, a popup appears first.
Like those malicious softwares that looks like the antivirus softwares, this website is trying to look like google. However, its like the old google’s website and also, it can be seen that it failed to completely copy the google website and/or partially loaded google website.
Now, if you’ve installed malwarebytes and tried accessing this land mine, malwarebytes successfully denies access to this malicious website of “googosearch.biz”.
<code> 09:47:38 Administrator IP-BLOCK 22.214.171.124 (Type: outgoing) 09:47:41 Administrator IP-BLOCK 126.96.36.199 (Type: outgoing) 09:47:47 Administrator IP-BLOCK 188.8.131.52 (Type: outgoing) </code>
As it was blocked, Chrome couldn’t load the page.
Below is the code from the redirected malicious website “googosearch.biz”‘s html code. Do not use it for bad things!
Website code deleted as it is just cosmetics.
Below is the code that actually does the bad thing that is implemented in the “functions.php” file.
Actual code has been deleted but saved as a text file for informational purposes below.
If you’re having this problem, just delete the above code from your “functions.php” file and upload the corrected file to your server and everything shall be good as before!