How to detect what is causing a redirect?

How to detect what is causing a redirect? - If a page has internal and external outgoing links to redirecting URLs, it’s returning 3xx (301, 302, etc.) HTTP status codes standing for redirection. This issue means that the page does not exist on a permanent or temporary basis. It appears on most of the popular web browsers, usually caused by a misconfigured website. However, there are some steps you can take to ensure the issue isn’t on your side. You can find more details about redirecting URLs by reading the Google Search Central overview. In this article, we’ll go over how you can fix the How to detect what is causing a redirect? error on your web browser. Problem :

I am working on a Wordpress website that has been hacked. Let's say that it's http://thewebsite.example. There is no malware that infects people that open this website, but there is a URL http://thewebsite.example/xyz/ and over there is some other website, that looks like some internet book store. When I click something it redirects me to some foreign website, let's say http://bookstore.example.

In http://thewebsite.example website directory there is no xyz/ subdirectory. I was grepping the whole directory using parts of code or text from what is displayed under http://thewebsite.example/xyz/ but found nothing. I have no idea where is the infection.

I tried to locate the redirect by checking .htaccess - it's not there. By doing grep -r "header('Location" ./ but there is no redirect done in PHP files. I tried looking for base64 encoded PHP files or some JS infections, but found nothing suspicious.

So I wanted to check how the redirect is being done, is it 301, 302. But doing wget shows no redirection. The content of the URL is being loaded from server of http://thewebsite.example. The same with cURL - doing curl -I http://thewebsite.example/xyz/redirecting-url/ shows me:

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=UTF-8
Date: Fri, 08 Mar 2019 08:30:33 GMT
[...]
Vary: User-Agent
Referrer-Policy: 
Connection: close

No redirection, just 200 OK. So the redirection must be encoded in PHP or JS files, right? Could it be set in cookie? How can I check, for example using browser "web developer options" what is causing the redirection? It would help me to locate the infection.

Solution :

It sounds line malware has infected your server. Often times when malware infects a web server it isn't designed to further infect web users who navigate to the site as the aim is to redirect users to an alternate web site. The best way to ensure that every last trace of the infection is gone is to erase the site and restore the server from backups in a clean install of your server environment. Once you have done this and verified that you have a clean version of the site running on a clean server with no redirecting happening install malware and virus protection on the server to prevent it from happening again.

As for why it isn't showing in any of the test you performed the malware doesn't work by installing new files in your site root rather it works by intercepting the request response process and overriding it instead returning redirect headers to the end user. The reason why running wget didn't pick up anything either is that generally the malware that does this is designed to only override request response on connections where the browser string matches a certain pattern, either targeting a specific browser or a range of browsers.

We hope that this article has helped you resolve the redirects, wordpress, malware error in your web browsers. Enjoy browsing the internet uninterrupted!