Fake Adult Dating Site Redirection from Google Search & SERP Result Spam – WordPress, Magento, Joomla
A new type of redirection malware has surfaced where website visitors are redirected to fake adult dating sites. In this malware campaign, thousands of fake pages get added to the website and are indexed by Google Search. If you search for you’ll see results like these:
The malware campaign is known to add fake pages & redirects for essays, pharm, dating sites, loans, media, and malicious download spam sites among others.
Related Blog – WordPress Redirection Hack
If you click on any of the links indexed by Google Search, you would be redirected to sites with explicit content and messages such as the one shown below.
How to tell if your website is infected?
- There are lots of Google Search results for pages you have not created
- If you click on any of your website links in Google, you are redirected to adult/gambling/dating sites
- New pages are added to your website which you are not aware of
- Unknown admin users are added to your admin dashboard
- Your website is very slow
- You have received a warning message from Google Search Console.
How to find the redirection hack in Drupal sites?
We investigated this malware hack campaign for a Drupal 7 site, and found that hackers had cleverly hidden the malware using sophisticated techniques, making it difficult for one to identify the malicious code.
On scanning the site with Astra’s Malware Scanner, we found a suspicious file at
With more investigation it was found that the file was added to the ‘Drupal Registry’ so that it gets auto-loaded with each request. The configuration value was located in the database.
The registry is a key-value store which loads on each request and contains information about the request and other context. It allows modules to set and request information along the execution chain.
Drupal Developer Documentation
The next step was to decode the code in the flagged file. Specifically the function.
When the above code snippet was evaluated, it spits out the path to another malicious file which was active:
After inflating the deflated string using the function in PHP, some base64 encoded was discovered.
After multiple levels of un-obfuscating the above code, the true malicious code was uncovered as you can see in the snippet below.
How to stop your website from redirecting to Fake Adult Dating Sites?
To fully remove the fake adult dating site redirection, you would have to scan your website files and database for malware. As you would have seen in this hack analysis, hackers skillfully hide the redirection code with multiple levels of obfuscation and code hiding techniques.
To learn how to clean malware yourself, refer to our malware cleanup guides or just have our security professionals fix your site quickly.
With Astra’s expert security team and comprehensive scanner, your website can be back up and running in less than 4 hours.
We fix all malware, blacklists, phishing, defacements, SEO spam & other issues to make sure you can get back to business immediately.
Security recommendations to prevent dating site redirection
- Take a backup of your website in case it needs to be restored
- Update the CMS, plugins and themes to their latest versions
- Identify the cause of the hack & patch it
- Secure your website with a solid firewall
- Avoid assigning 777 file permissions to any files or folders. Set folder permissions to 755 for folders and 644 for files
- Check if any unknown admin users have been added to the backend
- Delete any backup files (.zip, .sql, .tar etc.) in the public_html folder
0 thoughts to “Adult dating email spam”