Hacked website redirect, only on desktop, help with restoring it

This is my first post, I tried searching for similar problems, didn't find any that would fit my situation. Anyway.

Recently my cousins website got hacked, I decided to take a look and try to fix it as an exercise. I have little to none experience with web dev, so I hope to get some helpful feedback here. Whenever I type the URL in the address bar (or search for it on search engines) I get redirected to some blog site or one of those you won the iphone scam sites. It is also true for all subpages of the website.

What's weird to me is that it only happens on PC. URL works fine when using mobile or trying it in private mode. Also I can only access WP dashboard by typing url/wp-login.php using private mode. Whenever I try to do it in normal it also redirects me to that blog site login window.

In dashboard I noticed that bunch of plugins and WP version is outdated. I updated those relating to security and antispam, haven't updated WP version yet. As I didn't make this website and don't yet have FTP access I decided to wait with the update until I can make a full backup of the website.

Wordfence scan results did mark bunch of files as potentially malicious. They also have weird names that are just strings of characters which also raises red flags.

I installed WP file manager plugin and managed to download .htaccess file.

IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
/IfModule


# BEGIN MainWP

# END MainWP
# BEGIN WordPress
IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
/IfModule

# END WordPress

I'm not sure what to make of it as it looks similar to default basic WP htaccess, but written twice, with some weird additions. index.php was also flagged as malicious so I suspect here is a part of the problem. Help understanding it will be appreciated.

My question would be how do I proceed from here and how do I find the source of redirect? I've read that it's not worth the hassle of cleaning up hacked websites and it's much easier to just setup new server and migrate whole website there. But if I create full backup of the site and then reupload everything won't I also be migrating those malicious files with me? I also have no idea how to do it. I didn't make the website so it's not so obvious to me which files weren't there from the getgo.

I don't know what more to add as this post is pretty lengthy. If needed I can provide additional info.

Topic hacked htaccess redirect spam Wordpress

Category Web

1
answered at

When websites get hacked and you're not used to fixing WordPress websites it's highly recommended to hire a company to do this. The code can go anywhere and spread when you think your website is clean again.

To answer your question though, you should replace all the replaceable files and folders like wp-admin, wp-includes and some of the other core files. Then you should check via FTP what files got updated recently without you editing them. This includes core files, theme files and plug-in files. Lastly you should check the database.

Most redirects are being inserted via JavaScript code between script tags in the recently updates files. Good luck.

1
answered at

Have you tried clicking Wordfence's button, 'Repair all Repairable Files'? It may be able to replace all the plugin and WP core files with the correct repository versions.

You are right that if you back up, wipe the site, and reload the backup, you're not accomplishing anything. That said, you need some kind of backup, so I would do it first. Then you need access to the cPanel or such and see if there was some daily automatic backup going on. If so you can go back in time until you get before the hack.

I find it helpful to download a backup of the home directory onto my local computer. Then I use BBedit' multifile search to search for phrases throughout the site. For example, you could search for parts of the URLs your site is being redirected to.

Contacting hosting support for assistance would be another good move. They may be motivated to help rid their servers of the hack.

The .htaccess file looks fine. You can erase everything up to "# Begin WordPress" line, as everything before that is just repeating.

Wordfence has a list of steps to follow in fixing a hacked site. I suggest you follow it closely. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.