Redirect when logging from mobile devices

Started by sam, Aug 19, 2022, 02:35 AM

Previous topic - Next topic

samTopic starter

Hi, our site opens normally in browsers. And two weeks ago it opened on mobile devices of the android, iOS, etc. families.

Now everything is in order opens in computer browsers. And on mobile devices there is a redirect to other sites.
tell me what's the matter and how to deal with it? That has never happened before..


it's a virus. Look for base64

dig everywhere - start with index.php in both root and template. if you find it - and it should be at the very beginning of the file - then go through the website with a search for files with text - take the beginning of the code, which will be written in base64.

Demolish everywhere.

Defend - find the vulnerability she entered and patch it up. Look at the logs for the modification of the files in which you find it - when it was made, by the date already look for a hаck point.

Update the engine to the latest version, if it is JCE or JCK - also update, both are vulnerable, the vulnerabilities are closed in the latest versions.

Update all components.

Change all passwords - admin panel, ftp ... do not store them in file managers and browsers - enter them manually each time. Don't make them primitive  - that's about how it should be.

Then you need to look at the website to recommend.


Reasons for the appearance of a hidden redirect.
The webmaster set it up himself
Sometimes webmasters themselves set up redirection of mobile visitors to third-party sites. For instance, if website serves them to earn money by selling mobile traffic through WAP-click partner programs. Such earnings are against the rules of search engines and are fraught with departure from the index.

The script steals traffic, the webmaster is not aware
Unlicensed CMS, free widgets and suspicious scripts are unsafe, through them traffic can leak to malicious sites without the knowledge of the webmaster. For example, these can be elements for displaying ads or monetizing content.

Attackers hаcked the site
The webmaster will not be aware again, but the traffic can be intercepted by attackers who hаcked the site and set up a redirect to the sites they need to steal personal data or money from bank cards.

What to do if you find a hidden redirect on the site
The correction actions depend on the reason why the hidden redirection appeared.

Attention! Before you do anything with a working site, create a backup copy on the hosting and check if it works.

If web site was hаcked by intruders
You should have working backups, try to restore the site. To check for viruses, contact the hosting provider, usually hosting companies provide such a service. The check will show where the viruses are and what needs to be removed.

You can search for the code manually, often malicious elements are prescribed in these places:

in .htaccess — usually it looks like device detection by user agent and forwarding;

in index.php at the root of the site there is an obfuscated code at the end of the file, huge lines of code are easy to notice and delete;

in .js files — similarly, the code at the end of the file.

Be sure to update passwords — from hosting, FTP, admin panel and database.

If widget scripts are to blame
Redirecting to someone else's site can work through third-party scripts, plugins, CMS templates, themes, and other elements. Both new recently installed plugins and those that have been standing for a long time, but are already outdated, can be to blame — they could have been hаcked.

If you have not installed anything yourself, look at the history of access to the site. Perhaps other administrators or moderators have installed some infected script unknowingly or even to harm you.

What to do:

Find one of the pages where mobile traffic redirection is triggered, look at the code. If there are other people's scripts and elements on it, delete them one by one.
The redirection code should be searched in the script and iframe tags . It can have the form

<script type="text/javascript">location.replace("");</script>

After each deletion, go to the page from your smartphone or through the browser emulator, and check if the redirect remains.

As soon as you find this harmful element, remove it from other pages. If an important plugin was infected, check the version's relevance. Write to the developer, perhaps he has already fixed the vulnerability.

Be sure to update the CMS and plugins to the latest stable version, remove everything that raises suspicion and select licensed solutions from official sources.

If the webmaster cooperates with low-quality affiliate programs
Another reason is that the webmaster intentionally or unknowingly cooperates with fake partner systems. Usually they pretend to be simple affiliate programs with banner ads.

How to make sure that this does not happen again — we protect the site
We need to work with the security of the project to reduce the risk of re-appearance of a redirect to someone else's site.

Update versions, do not install pirated software
If you have found the reason for the leakage of mobile traffic in some extension or module, you may no longer need to use the site where you took it.
Use only licensed software and install all widgets, modules, plugins and all kinds of solutions only from official resources. The less established, the better — the probability of vulnerability is statistically less.

Follow the news and check the list of vulnerabilities for your CMS, set of libraries or framework. If a vulnerability is discovered, developers are in a hurry to release an update with a fix.

Talk to employees, update passwords
Come up with a separate password for each site, so that if one password is leaked, attackers will not have access to all your resources.

For the admin panel, you can set a delay in entering the password for the next attempts after entering the wrong one. So it will be more difficult for an attacker to sort through passwords to the admin panel of the site.

Delimit access for employees and conduct conversations with them. If an enterprising, but not very knowledgeable employee has access to the admin panel of the site, he can install something unsafe out of good intentions.

Choose advertisers more carefully
The promises of the golden mountains, although they sound tempting, in fact turn out to be a bait for participating in fake affiliate programs. Carefully choose advertisers, use Google.Adsense. Direct and other proven options.


Redirecting or redirecting a visitor to another page is normal. For example, the site maybe a mobile version on a subdomain . If a user on a smartphone goes to the site in the output, it will automatically transfer to the mobile version.