Redirects to YouTube Defacement Channel

During a recent investigation, we found an infected website was redirecting to YouTube after its main index.php file had been modified to include the following line of HTML:

<meta http-equiv=’refresh’ content=’2;url=https://youtu.be/fsqzjDAO2Ug’>

This technique works because it’s possible to use HTML within .php files — as long as the HTML is outside the PHP code tags.

In this case, the HTML is the only code that exists, so there are no PHP tags to avoid.

Continue reading Redirects to YouTube Defacement Channel at Sucuri Blog.