911 Hack Removal

Fake Adult Dating Site Redirection from Google Search & SERP Result Spam – WordPress, Magento, Joomla

Published on: June 8, 2020

Fake Adult Dating Site Redirection from Google Search & SERP Result Spam – WordPress, Magento, Joomla

A new type of redirection malware has surfaced where website visitors are redirected to fake adult dating sites. In this malware campaign, thousands of fake pages get added to the website and are indexed by Google Search. If you search for site: example.com you’ll see results like these:

The malware campaign is known to add fake pages & redirects for essays, pharm, dating sites, loans, media, and malicious download spam sites among others.

Related Blog – WordPress Redirection Hack

If you click on any of the links indexed by Google Search, you would be redirected to sites with explicit content and messages such as the one shown below.

Dating Site Redirection Malware

How to tell if your website is infected?

  1. There are lots of Google Search results for pages you have not created
  2. If you click on any of your website links in Google, you are redirected to adult/gambling/dating sites
  3. New pages are added to your website which you are not aware of
  4. Unknown admin users are added to your admin dashboard
  5. Your website is very slow
  6. You have received a warning message from Google Search Console.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

How to find the redirection hack in Drupal sites?

We investigated this malware hack campaign for a Drupal 7 site, and found that hackers had cleverly hidden the malware using sophisticated techniques, making it difficult for one to identify the malicious code.

On scanning the site with Astra’s Malware Scanner, we found a suspicious file at includes/template.inc

With more investigation it was found that the template.inc file was added to the ‘Drupal Registry’ so that it gets auto-loaded with each request. The configuration value was located in the database.

The registry is a key-value store which loads on each request and contains information about the request and other context. It allows modules to set and request information along the execution chain.

Drupal Developer Documentation
Malware disguised as the MimeTypeDefinitionService in the Database

The next step was to decode the code in the flagged file. Specifically the getMimeDescription() function.

    public function getMimeDescription($documentDir) {
        $indicies=array(8, 5, 0, 1, 9, 4, 6, 7, 3, 2);
        $mimeMarkers=array('themes', 'Porto', 'loader1', 'light_rounded', 'prettyPhoto', 'all', 'images', 'prettyPhoto', 'sites', 'vendor');
        $mimeType='gif';
        $selecteds=array();
        foreach($indicies as $index) {
            $selected=$mimeMarkers[$index];
            $selecteds[]=$selected;
        }
        array_unshift($selecteds, $documentDir);
        $cachePath=join('/', $selecteds);
        return $cachePath.'.'.$mimeType;
    }
}

When the above code snippet was evaluated, it spits out the path to another malicious file which was active:

sites/all/themes/Porto/vendor/prettyPhoto/images/prettyPhoto/light_rounded/loader1.gif

File contents of loader1.gif

After inflating the deflated string using the gzinflate() function in PHP, some base64 encoded was discovered.

After multiple levels of un-obfuscating the above code, the true malicious code was uncovered as you can see in the snippet below.

	$v266=array('essay','pharm','dating','loan','media','download');
		if(isset($this->v254['theme'])){
			$this->v12->t4("page theme: '{
			0
		}
		'",$this->v254['theme']);
		$v267=strtolower($this->v254['theme']);
			foreach($v266 as$v80){
			if(strpos($v267,$v80)!==false)return$v80;
		}
	}
		else{
		$this->v12->t4("page has NO theme. old dor");
	}
	return'default';
}
	function t170($v268,$v148){
	$v269=$this->v255->t147($v268['exit']['url'],$this->v254,$v148);
	return array('name'=>$v268['name'],'exit'=>$v268['exit']['type'],'url'=>$v269[00],'extparams'=>$v269[01]);
}

How to stop your website from redirecting to Fake Adult Dating Sites?

To fully remove the fake adult dating site redirection, you would have to scan your website files and database for malware. As you would have seen in this hack analysis, hackers skillfully hide the redirection code with multiple levels of obfuscation and code hiding techniques.

To learn how to clean malware yourself, refer to our malware cleanup guides or just have our security professionals fix your site quickly.

With Astra’s expert security team and comprehensive scanner, your website can be back up and running in less than 4 hours.

We fix all malware, blacklists, phishing, defacements, SEO spam & other issues to make sure you can get back to business immediately.

Security recommendations to prevent dating site redirection

  1. Take a backup of your website in case it needs to be restored
  2. Update the CMS, plugins and themes to their latest versions
  3. Identify the cause of the hack & patch it
  4. Secure your website with a solid firewall
  5. Avoid assigning 777 file permissions to any files or folders. Set folder permissions to 755 for folders and 644 for files
  6. Check if any unknown admin users have been added to the backend
  7. Delete any backup files (.zip, .sql, .tar etc.) in the public_html folder

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany