| This 58 message thread spans 2 pages: < < 58 ( 1  ) || |
|Links hijacked in search engines|
Sometimes links go to my site, other times to an adult site.
| 8:13 pm on Feb 18, 2006 (gmt 0)|
This is my first post so I hope I'm in the right spot. My problem isn't just with Google, but shows in Yahoo, MSN, etc., but Google is the biggest and best, so probably would get the most attention.
I was notified by a person in New Jersey (I'm in Washington state and my web site is hosted in Virginia) that when he clicked on my link in the search engine results sometimes he would be sent to my site, but other times he would be sent to an adult site. Sometimes the adult site would come up first and other times it would take several clicks on the same link, but the adult site would come up eventually.
I tested and the same thing happened for me too. The problem occurs with either first or second ranking links to my site or with other links way down in the basement. I tried different search engines and different browsers and got the same result. I've tried the same thing with links to other sites in the results, but mine is the only one that goes to the adult site.
I notified my web site host, who is extremely fast and helpful with support, but he couldn't duplicate the situation and says everything is ok with the servers.
My page views which are generally around 4000 to 5000 per day are down by 1000 to 1500 per day, so I know something is haywire.
I thought about browser hijack, so I took an old hard drive, fdisked, formatted and made a fresh install of Windows, fresh download and install of Firefox, ZoneAlarm and AVG anti-virus. I got the same result with the adult site.
I checked in Google's directory and clicked on my link and I got the same problem, sometimes my site and sometimes the adult site, but when I went to DMOZ directory and clicked on my link only my site came up with a dozen clicks. I have a page of links to my pages on my computer and none of those links come up with the adult site. I've gone to other web sites that have a link to my site and the adult site doesn't come up when those links are clicked. It only seems to be happening with search engine results links.
When the cursor is held over the link in the results my URL shows in the status bar, even when the adult site comes up.
I've read of hijacking web pages in the forum, but nothing quite like this, they aren't duplicating my page content the resulting adult page is pretty brazen and definitely doesn't appear as being associated with my site.
I have information about the adult page, it links to several other adult sites and is apparently put up by an affiliate of the sites. I had planned to notify his ISP, but the information I've gathered indicates that the ISP may be involved or is the culprit.
Reading an older post gave me the idea to check domain names and I discovered that someone has recently gotten a domain with the same name as mine, but with net instead of com. Preliminary checking doesn't show that he's involved with the other problem, but I haven't done any deep checking yet.
I've tried inurl: and inanchor: and they don't show anything unusual. My position in the search engines are the same, although the problem has only been going on for a short period of time.
Besides giving my web site a bad name by association the thieves are stealing a lot of visitors from my site, or at least preventing them from visiting, and playing heck with my retirement income.
I've notified Google and Yahoo, but haven't heard back from either of them.
Any help would really be appreciated.
[edited by: tedster at 3:30 am (utc) on April 10, 2006]
[edit reason] fix formatting [/edit]
| 3:37 pm on Apr 10, 2006 (gmt 0)|
This is a longshot but since were kind of on topic. I have had the most peculiar problem and nobody on other forums seems to know anything about it. Every once in a great while like once in a month (although sometimes it will happen 2 or 3 times in an hour) i'll be on my own site, click an internal link and my page will change to some obscure unrelated website. For example, once it went from my site that has nothing to do with shoes and is located in Washington State to a hometown one page website for a guy that runs a small shoe repair shop back east somewhere. The shoe repair site had no ads or anything else funny about it. I checked it out and it's hosted by another normal hosting company that isn't my own. Every time this has happened it's always been some obscure unrelated site from a different host and no ads. The point is, these websites would gain nothing from trying to redirect my site to theirs.
I checked my host and they FAIL the open DNS test. Could having an open DNS problem also cause this strange intermittent behavior or am I still way off on figuring out this problem?
*btw, this problem has existed through multiple fresh installs of windows and I use firefox with java disabled.
| 3:42 pm on Apr 10, 2006 (gmt 0)|
|I checked my host and they FAIL the open DNS test. Could having an open DNS problem also cause this strange intermittent behavior or am I still way off on figuring out this problem? |
Absolutely. It can also occur if you have spyware installed.
| 4:03 pm on Apr 10, 2006 (gmt 0)|
Sticky me your URL (exactly which is causing problem
within SERP results).
I KNOW how to do that.
I will see whether this is the case.
| 4:11 pm on Apr 10, 2006 (gmt 0)|
As the original post, this happened to me too. Found out it was through the hosting provider. I switched and all was fixed.
| 4:24 pm on Apr 10, 2006 (gmt 0)|
|I KNOW how to do that. I will see whether this is the case. |
Would you be kind enough to share the process of determining how a site has been hijacked through cache poisoning? This way all of our readers can do their own investigative work. ;)
| 4:26 pm on Apr 10, 2006 (gmt 0)|
When I read pageoneresults information it was like someone took a handful of puzzle pieces and dropped them on a table and they moved themselves into the proper places.
The DNS cacheing appears to be the method the hijacker is using. The first time I had the problem it stopped by itself, which would indicate that it probably dropped out of the cache. I would imagine that the hijacker knows how things work and makes the rounds periodically to renew their malicious mischief on vulnerable DNS servers.
I've experienced periodic slowdowns for years that I haven't been able to figure out and I've never had the revelation, "Aha, check the links in the search engines to see if they're being hijacked".
After I read the forum I went looking further on the Internet for more information and it abounds when you know what to look for. It appears that the problem has been around for a long time, but most of the information is in more technical terms and not the terms an average webmaster of an average site would use for research on his problems of that nature. This forum may remedy that, or it might be good for a DNS knowledgeable person to collaberate with an average person to kind of average down (I don't like the word dumb) the information in a paper to publish.
My web site host is a definite plus. He's the fourth in eight years and I've been with him for over a year with no complaints. I've only had a couple of minor problems, which he took care of immediatly after answering my email within minutes or hours, rather than days which seems to be the norm nowdays. I started with this host at the recommendation of Fred Langa in his LangaListPlus.
It seems that many hosts and ISPs have open DNS servers as shown by dnsreport.com, some that have been around for as long as I can remember, but it seems that it's only been relatively recently that it's been realized what a problem that it can cause. From what I tested it was more like 90% open rather than 75%. I feel assured that my host will take care of the problem as soon as he's made aware of it.
I really thank everyone who helped with information about my problem, especially pageoneresults and tedster who really got the information rolling.
| 4:38 pm on Apr 10, 2006 (gmt 0)|
|I really thank everyone who helped with information about my problem, especially pageoneresults and tedster who really got the information rolling. |
Actually, I think we should be thanking you Tom56. If it weren't for your discovery, we wouldn't have been able to brainstorm at the public level and pinpoint the problem. Cache Poisoning is not a topic that I've seen discussed at great length yet at WebmasterWorld. It will be now! ;)
All of us here are hoping that many webmasters and server administrators are following these topics with grave concern. After I discovered search engine marketing from the server side, I found out that DNS could be the cause of over 50% of the problems being discussed here at WebmasterWorld. In fact, I'd even go on record to say that more than 60% of problems are related to DNS. The more information I assimilate, the more I can tie various topics in with technical issues as opposed to on-site issues.
[edited by: pageoneresults at 4:40 pm (utc) on April 10, 2006]
| 4:38 pm on Apr 10, 2006 (gmt 0)|
|Move hosts is the simplest way in the long run to beat this.Your host has been compromised. |
Well, only your host's DNS servers have been comprimised. An easy quick-fix is to switch to a third-party DNS service. There are some good ones that are pretty inexpensive, and definately won't have this problem. That would solve the "class C" problem, as well. (Third-party DNS services are generally pretty good about proper geographic location of their servers - your servers will be in different cities, not all sitting in the same rack...)
In the long run, though, the above comment may be right. If your host doesn't take this seriously and fix it, I'd be moving on. No telling where else they've been successfully attacked. Switching to third-party DNS servers could give you some breathing room, though, to find and transition to a new host.
I'm guessing that your host is an old-school local ISP. Bet they provide Internet access for customers in a local area (dial-up, DSL, etc.) and ALSO host websites.
I suspect they are using the same DNS servers to provide recursive DNS service to their Internet access customers and also to provide DNS to their hosting customers.
This is a definate no-no, but was common in the past.
Nowadays, these functions have to be done on seperate servers. A recursive DNS server (that is, one that answers queries for any domain, contacting whatever other DNS servers are needed to resolve the query, then caching the result) should ONLY perform that function. A recursive server should NEVER be used as an authoratative or backup server for a domain!
| 5:20 pm on Apr 10, 2006 (gmt 0)|
DNS Cache Poisoning
I wanted to break this topic out into two different sections. Since we determined that Tom56's problem is most likely a case of Cache Poisoning, I though a topic specific to that would be in order.
| 5:46 pm on Apr 10, 2006 (gmt 0)|
OK, I ran the DNS report and am pleased to see that everything checks out, but there were a few warnings. One of them was:
"Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004)."
I have some idea what all that means ... but don't really understand all of it. Is it safe to just go ahead and use the link provided to add an SPF record? Will this cause any troubles for my host?
In fact, spammers have been using my addresses for quite some time, but I didn't know there was anything one could do about it!
| 6:02 pm on Apr 10, 2006 (gmt 0)|
|Is it safe to just go ahead and use the link provided to add an SPF record? Will this cause any troubles for my host? |
Hi Liane, I would have your host take care of it. Just send them the link to your DNS Report and let them know there are warnings that need to be addressed, particularly the SPF Record.
| 6:10 pm on Apr 10, 2006 (gmt 0)|
| 6:29 pm on Apr 10, 2006 (gmt 0)|
Same for me as for Liane, I'll also ask my hoster about it. I also got a fail and a warning concerning the email@example.com and firstname.lastname@example.org mail adresses. This is relatively easy to fix, but I'd like to know how important this really is, and why these two are not implemented as defaults by hosting-companies if the rfc-standards require them.
> I tried a ping and tracert from a remote web site and it ended up at a different domain, but my web site host says that's his data center that owns the IP ranges
I found this from Tom56 quite suspisious, actually, though I definitely lack precise knowlege. My websites always had permanent IP-adresses, that never changed; maybe this is different with shared webspace. I'd love to know how Tom's hoster finally reacted.
Great resource this thread, yes.
| 6:46 pm on Apr 10, 2006 (gmt 0)|
|This is relatively easy to fix, but I'd like to know how important this really is. |
That one gets flagged as a Warning and the report describes to you what may happen if you do not have those two specific email addresses. They are required and they do reference the RFC for backup.
email@example.com is absolutely mandatory if you are moving into a Trusted Email environment. In fact, you'll want to address most, if not all of the Warnings on the DNS Report, particularly when it comes to your MX Records.
| 7:11 pm on Apr 10, 2006 (gmt 0)|
|I tried a ping and tracert from a remote web site and it ended up at a different domain, but my web site host says that's his data center that owns the IP ranges |
Two possibilities here:
1. You are on a shared, virtual-domain server. The domain name that you get on a ping should be in the hosting company's domain. (Some hosts misconfigure this, and you get the first shared server configured on the server. NOT good!) This really is only suitable for personal or hobby sites. I'd get a dedicated IP address (you can still use a shared server, virtual-IP).
2. Your hosting provider failed to set-up "reverse DNS" for your site. Ask them to set this up, so that ping/traceroute return your domain name, rather than theirs.
FWIW, I don't advocate "have your ISP do this for you" as others do.
You are MUCH better off learning how to configure DNS, going to a third-party DNS provider, and taking full control of YOUR domains.
As you can see from this thread and others, DNS seems a mystery to many/most webmasters. It shouldn't be a mystery. It doesn't take a lot of effort to learn. It's a dark hole that too many ignore. Take control of it and you will have a leg up.
| 7:30 pm on Apr 10, 2006 (gmt 0)|
Just FYI and not DNS related: there's a lot more dirty stuff going on. Last year my (then) webhost's URL showed up in the SERPs instead of my URL. Of course they played dumb (we can't reproduce the error, but it's now fixed), but I made it public and a month later I got an email saying that the hosting company had been sold.
Later in the year I found a URL on one of my pages that I hadn't put there. Shortly before that, I had gotten an email from an automated link exchange service I was using (and which has access your FTP), asking if my site had any "excellent rankings" on the SERPs. Apparently they had figured out my IP, because I didn't see the link on my own computer, but on a friend's.
Anyway, I have sent the URL of this thread to my current webhost, thanks a lot for the expertise.
| 9:30 pm on Apr 10, 2006 (gmt 0)|
|I'm guessing that your host is an old-school local ISP. |
Mine is not. It is a major, respected hosting company and I will guess that many here at WW host with them. I won't name them as that is probably not allowed here.
While we can fix this for each domain, should we also notify the hosting company? I am guessing the answer is yes, but please confirm.
|An easy quick-fix is to switch to a third-party DNS service. There are some good ones that are pretty inexpensive, and definately won't have this problem. That would solve the "class C" problem, as well. |
This stuff is beyond me but... will using a third party DNS service give us an IP that is not with our hosting company (and therefore in a different class C block)? I think the answer is no, the IP is the same, you would just be using a third party DNS service. Was wondering if a third party DNS service could be used to get different class "C"'s. I don't interlink my sites but reading Google's patents these days freaks my out at times.
Great thread, thanks to all!
| 9:35 pm on Apr 10, 2006 (gmt 0)|
|While we can fix this for each domain, should we also notify the hosting company? I am guessing the answer is yes, but please confirm. |
|Will using a third party DNS service give us an IP that is not with our hosting company (and therefore in a different class C block)? |
|Was wondering if a third party DNS service could be used to get different class "C"'s. |
|I don't interlink my sites but reading Google's patents these days freaks my out at times. |
It's always good to be alert to issues such as this. If you've not had any problems up til now and your host passes all the DNS tests, then you should be fine. But again, it never hurts to cover all of your bases.
[edited by: pageoneresults at 12:25 am (utc) on April 11, 2006]
| 10:01 pm on Apr 10, 2006 (gmt 0)|
Thanks pageoneresults for your answers to my questions and letting us know about this potentially harmful situation.
| 11:09 pm on Apr 10, 2006 (gmt 0)|
See, pageoneresults, I told you that you were the man :P I mean, what you suggested was the only thing that made sense-- of course the webhost can't see the hijacking-- the DNS servers they use on their personal workstations is probably the same as the authoritative DNS for the website with the problem!
Great stuff, great stuff. So, mental note to all the webhost tech support staff out there, try changing your workstation's DNS when trying to troubleshoot a customer's problem :)
| 11:46 pm on Apr 10, 2006 (gmt 0)|
|Will using a third party DNS service give us an IP that is not with our hosting company (and therefore in a different class C block)? |
Was wondering if a third party DNS service could be used to get different class "C"'s.
Far be it from me to disagree with 'the man', but I believe this is incorrect. Isn't your site's IP address provided by the host, since that IP must be attached to a network card on the server itself?
While a third party provider will give you a DNS record that isn't associated with your host, ultimately, that DNS record will point to the IP provided by the host.
I would love an explanation if I am incorrect.
| 11:55 pm on Apr 10, 2006 (gmt 0)|
|I would love an explanation if I am incorrect. |
Me too! I may be incorrect and please do let me know. I'm researching and assimilating this stuff as quickly as I can and the last thing I want here is any information that is incorrect.
Thanks for calling me out! :)
Go ahead, knock that battery off my shoulder. ;)
P.S. After reading this again, you are correct. The IP address will come from your web hosting provider, not your DNS provider unless of course they are one in the same. I've edited the above reply to reflect that, my apologies.
| 12:57 am on Apr 11, 2006 (gmt 0)|
I wonder how all of this may apply to a situation that I have ...
I have several dedicated servers. On one in particular, I utilize an alternative DNS method (DNS zone file settings in eNom). For all domains located on that server, I use an "A Record" entry (pointing to the IP address allocated to that server) for "@", "WWW", and "Other" entries in my Host records setup (also has URL Redirect and URL Frame enabled), rather than pointing at regular DNS servers per normal. This facilitates ultra fast switching to backup servers in case of any server issues.
I too have been having problems that seem like those mentioned in this thread. But dnsreport.com checks on the domains don't show any major problems (just a couple of warnings concerning mx records, as I don't have any for one domain, and a minimum SOA value warning).
Although I have never really had any problems (other than the obligatory problems with Google & Yahoo that most other webmasters are having), I would like to get opinions from others about this scenario, as I have been seeing drops in traffic, exactly as described in this thread.
| 4:21 am on Apr 11, 2006 (gmt 0)|
Let me try to clear up the confusion about "different Class C address (network, actually)", etc.
That discussion started with a DNS Report warning. The warning is that your DNS servers are not on seperate Class C networks. That warning has absolutely nothing to do with your web site's IP address. They are talking about the IP addresses of your DNS servers.
So, what's this all about?
There's nothing inherently wrong with your DNS servers all being on the same Class C network. DNS Report uses this as an indicator, though, that your DNS servers may not be geographically-dispered. If your DNS servers are all on the same Class C Network (i.e. first 3 octets are the same), there's a high liklihood that they are physically in the same place. Your DNS servers aren't supposed to be all physically in the same place.
But some hosting providers give you a primary and secondary DNS server that may be located in the same city, same room, or even the same rack.
That's not desirable. It's best when each of your DNS servers is in a different part of the country - or even world. For example, I have 5 DNS servers. 3 are in different parts of the U.S., one is in Europe, and one is in Asia.
(Actually, I have more than 5 DNS servers, but they are transparent - hidden behind 5 IP addresses. My DNS provider uses IP Anycast Routing. They actually have servers in 11 cities. Using IP Anycast, packets are routed to the NEAREST server.)
By using a third-party DNS provider, you address the "class C" warning, because most if not all third-party DNS providers host each of your DNS servers in a different city. This is what your hosting provider SHOULD do, but many do not.
In "the old days", this was typically handled by informal reciprical agreements. You'd find another site willing to host your backup DNS, and you would host their backup DNS.
| 6:09 am on Apr 11, 2006 (gmt 0)|
For what it's worth, I had something similar happen with a client of mine today (I'm an IT guy). It was clear that he had spyware, since randomly *any* of the links in a SERP could redirect to another domain, although a different one every time. Most of them were related to the target site, and I'm sure they were all affiliate sites or hidden affiliate links. None of my anti-spyware or AV tools found anything useful, and it wasn't until I used hijack this to disable a weird search hook that it finally stopped.
| 7:48 pm on Apr 13, 2006 (gmt 0)|
Tom56, I just spent close to an hour on the phone with a gentlemen from SANS discussing this topic. He read through this while we were talking about DNS Cache Poisoning issues and he's not too certain that you're a victim of the poisoning exploit. He seems to think that maybe there is a misconfigured setting somewhere in the DNS that caused this although he can't be 100% sure.
I've gotten so involved with this that I'm in over my head now! But, I'm going to see it through and learn everything I can so I can speak with some level of authority when these topics come up again. What I might suggest is that you have your server administrator go through their DNS setup with a fine tooth comb and make sure that everything is the way it should be. And this is where it gets tricky. If the person has only a basic understanding of DNS, enough to run a server and host websites and resolve them correctly, that is usually enough to get by. But, there are some other more advanced issues that need to be addressed to cover your arse just in case. ;)
The feedback I've received and assimilated tells me that your server should not allow this to happen, I'm referring to the symptoms you described in your opening post and subsequent ones. This shouldn't happen to Authoritative DNS Servers. It could happen to a DNS Resolver. That opens up another can of worms. If your host is using Windows and is forwarding requests to a BIND 4 or BIND 8 DNS Recursive Resolver in the upstream, then there are potential issues. That's all I can comment about on that one. More for me to research!
Bottom line, you may not be out of this situation just yet. Your server administrator should double check everything on the DNS side to make sure that there are no stones unturned. If the host has determined that they've done everything correctly, which is probably true, you can only wait it out and see if it happens again. If it does, there are organizations online that may be able to assist your host in determining where the problem is.
Good luck and my sincere apologies if I created any unwarranted fear within the WebmasterWorld community. That was not my intention. But, I would still like to instill fear in you if your servers fail the DNS Report for Open DNS Servers, that one needs to be fixed!
| 11:06 pm on Apr 13, 2006 (gmt 0)|
Pgeoneresults, thanks for the information. I've fried a few synapses trying to understand this stuff and I haven't gotten as deep into understanding as you have.
Something like this seems to take trial and error until a few become proficient in the knowledge and can pass more definite information on to others. It's understandable that there can be errors.
There are so many variables and it seems that each time something is figured out the bad guys find something new. It's probably good for a little fear to have been created to make people sit up and take notice.
| 6:49 pm on Apr 28, 2006 (gmt 0)|
Hi Tom56, did you get any solution to your problem. I ama new Entrant here and am facing a similar problem. I have an affiliate site well placed in yahoo. Was getting very good traffic and conversion till last month and then suddenly traffic drops on my site and conversions are falling day by day. My rankings are stil the same. NOthing that i have researched points at one direction. Please do let me know if someone finds more info about this. Thanks
| This 58 message thread spans 2 pages: < < 58 ( 1  ) |