0

I wanted to check the WP homepage of a friend of mine, so I googled "rafaeltheissen be piano".

The first Google result seems to point to the official page: https://rafaeltheissen.com/

Here is the complete link copied from the Google search results: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj5ps6p3ovyAhXauaQKHSkjAvQQFjAAegQIBBAD&url=https%3A%2F%2Frafaeltheissen.com%2Fen%2F&usg=AOvVaw24EO7Ic3rfmCms7XbPcI4J

When I click on it, I am on the website and everything seems fine. But when I click somewhere, the following happens: On Safari, another porn/strange phishing site is opened in the background On Google Chrome, that doesn't seem to work but a blob URL is opened as another tab.

What I can observe before clicking somewhere: In the dev console I constantly see "Console was cleared" by "agregahehhea.js", an incomprehensible js code. Network Source: https://www.thodowaro.com/fbf601/agregahehhea.js

Redirects before the phishing page appears:

  • https://stevoglutu.com/b.3_Vi0jPk2ll-jnPoXpBqz_Jsmt9u0vP-Ux5yEzRAT_BCNDVEGFc-yHTImJlKR_eMEN5OqPS-TRNSOTaUm_dW4XTY1ZR-JbMcUdpeF_SgkhZiKjR-0lpm5nYoj_JqGras1tl-tvRwnxVya_QA1BFCrDS-kFRGCHaIV_pKELQMTNJ-PPRQ1RESy_TU0VRWNXM-EZ0aybScT_ReZfVgFhp-rjWkllRmN_MolppqtrW-XtduNvewm_xypzWAkBd-JDeEEF1GH_VImJ0KmLc-nNJOpPZQD_1SjTOUTVI-0XOYWZUa0_NcmdQe5fO-DhNimjNkT_Am1nMojpR-lrNsmtFuk_NwWxZyhzY-zBICzDMEG_ZGlHNICJZ-yLcM3NJOj_PQXRNSjTc-mVlWwXdYC_Za2bdcDd0-xfNgjhIi3_NkjlgmxnO-TpIq1rLsW_ZujvNwjxY-wzMATBACx_ZEDFNGlHN-DJkKyLYMj_lOjPZQGRI-4TNUWVEW3_MYWZRalbM-TdJehfMgj_Yi1j?&sseq=2&dseq=2
  • https://stevoglutu.com/b.3_Va0bPc2dh-0fYgXhRii_PkTlEmmnc-npJqprZsD_1umvZwDxN-lzZAGBUCx_MEWFQG1HM-zJQK0LNMD_NOhPNQjRQ-yTOUWVYW3_NYTZQaxbM-WdJehfMgD_ki5jZkSlZ-ynco3pJqj_PsWthupvc-3xRyvzcAn_lCiDYEWFN-rHJInJNKJ_ZMDN0O0PM-TRQSxTOUD_YW2XJYnZp-vbbcmdVeJ_ZgDh0i0jM-TlQmxnOoD_Yq2r

I really would like to understand what's happening here. Does someone has an explanation for it?

Update: the server seems compromised. If referrer is google->activate malicious js code. Read more here: http://www.axertion.com/tutorials/2013/08/wordpress-redirecting-to-malicious-url-when-referral-is-google-or-another-search-engine/

  • 1
    It seems obvious that the site is compromised. An attacker has modified the site to serve different content. This is, unfortunately, quite common with insecure WP sites. We can't perform site analysis here. You need to restore the site to a known good state and try to fix any security weaknesses (update WP plugins, change passwords, etc.) – schroeder Jul 31 '21 at 08:17
  • @schroeder But when I open the homepage by the official URL, everything is fine! So it's not the page that is compromised but only the Google Search link. Come on, please, I want to understand why the Google link is malicious. – Denny Weinberg Jul 31 '21 at 09:12
  • 1
    It's the "referrer" in the header. This is a common tactic. This makes it more difficult for the owner to spot the compromise, since they will be unlikely to use google to reach their page, but the public is more likely to use google to reach the page. – schroeder Jul 31 '21 at 11:20
  • Thanks. Found more information here: http://www.axertion.com/tutorials/2013/08/wordpress-redirecting-to-malicious-url-when-referral-is-google-or-another-search-engine/ – Denny Weinberg Jul 31 '21 at 11:48
  • 1
    yep, that's the idea – schroeder Jul 31 '21 at 11:51

0 Answers0