| 12:28 am on Feb 19, 2006 (gmt 0)|
It's quite possible someone is framing your website in the search results, thus stealing your traffic and income.
When my own stats were much lower than expected we used the Google Tool inurl:domainnamedotcom which found everyone with my url as part of their url.
In clicking on them we discovered scammers who illegally framed our site and put their own Adsense Code at the top of my index page, thus getting our traffic and clicks.
Reporting it to Adsense Abuse with detailed information several times did not accomplich much as after 2 weeks the fraud was still ongoing and the scam Adsense was still there, and we only got canned kind of replies from G. I also asked G to reimburse us for the stolen income from the scammers account with no response after 3 weeks.
After more than 2 weeks the framing and scam Adsense was still onging and the scammers adsense account was still active last time we checked. Amazing how easy the fraudster can do this and get away with the scams.
I suspect this is something getting to be commonly done (involving both Adsense and YPN ads) but for some odd reason it's rare anyone talks about it. For example, when we posted about this before there was very little response or feedback.
| 4:35 pm on Feb 19, 2006 (gmt 0)|
I find it quite interesting and surprising posts (like this thread and a few others) about the issue of scammers stealing your traffic and revenue by framing your site get such poor response in the forums.
This indicates to me (A) I am wrong in being a common problem, (B) Similar to websites who get attacked, no one wants to talk about it and admit they have also had it happen, (C) A good possibility is hardly anyone knows this is even happening to their sites!
You all need to check by going to Google search box and entering this: inurl:yourdomainnamedotcom and scanning the list, then clicking any suspect looking ones. You may be surprised by what you see.
| 4:36 pm on Feb 19, 2006 (gmt 0)|
Thanks for your reply.
I've already tried the inurl: and everything looked ok there. Inanchor: shows one with my site framed, but it looks like a legitimate question answer service and has a link to drop their frame.
| 4:54 pm on Feb 19, 2006 (gmt 0)|
It's true that there is very little to be found about the problem.
It seems from the hours upon hours of research I've done on it that most people don't realize anything is happening until it's too late.
Some methods used cause web sites to totally disappear from the search engines.
I haven't read of anyone with the same type of problem that I have. I was aware that my page views dropped suddenly in the first part of February, but couldn't find any reason for it, so figured it must be some sort of seasonal thing. The first that I knew of what was happening was when someone emailed me that they clicked a link to my site in a search engine and got a adult site.
The adult people seem to be pretty cagey about it and don't take it all, but probably about 20%. They probably figure it's better to take some and leave some so my site doesn't disappear and leave them high and dry too with no links at all to steal.
[edited by: tedster at 3:31 am (utc) on April 10, 2006]
| 6:08 pm on Feb 19, 2006 (gmt 0)|
This combination of factors seems quite unusual:
1. The hijack seems to work from all three major search engines.
2. The hijack does not seem to work with any other kind of site access.
3. And yet, the hijack is not consistent -- it only occurs some of the time, on some clicks even from the same SERP
Have I got that right?
It's #3 that really gives me pause. Thoughts of some kind of DNS gaming come to mind -- a very esoteric pursuit, if true. There are some "theft of service" exploits that can work against some server configurations (see [httpd.apache.org...] )but I would expect those to either work all the time or none of the time -- so the fact that only search engine traffic seems to be affected (and even that is only some of the time) works against that idea.
The serp shows YOUR url -- but any kind of framing/scraping/redirect effect should show their URL. And again, this would be 100% ofn the time, not just some of the time.
In short, those three points seem to work against each other, each one ruling out the situations that the others seem to indicate.
I'd suggest that you take these steps:
1. Spend some time verifying that each of those 3 points above is accurate.
2. Examine your pages for any kind of code injection - such as an injected iframe attack. I know your host said all was fine on the server, but you still should verify that for yourself.
3. Check current server logs against a baseline from the period when things were working well. Are you still seeing the same level of SE referers? And even more telling, does the SE traffic first hit your server and then go elsewhere, or does you server never see those clicks.
I doubt that inurl: allinurl: site: and so on are going to give you the evidence you need to take this further. However, you might do a check with the Yahoo Site Explorer [siteexplorer.search.yahoo.com] just to see if anything looks odd. I also doubt this will show you much that is new, but you never know.
Best wishes on this one -- you'll really need to pin down the sypmtoms with certainty, and that can be hard when something seems to happen only a percentage of the time.
| 6:31 pm on Feb 19, 2006 (gmt 0)|
I agree it sounds like a DNS problem -- possibly intentional, but also possibly just an error.
You could try using something simple like the Ping utility bundled with most operating systems. Do a series of "Ping <yourdomain.com>" commands, and see what IP address your domain name resolves to. If it occasionally resolves to a different and incorrect IP address, then pursue this with your DNS provider.
The DNS system is distributed -- there is no "one place" that your domain-to-IP-address translation takes place. The only "fixed point" is two (redundant) authoritative DNS servers for your domain -- the ones listed in your domain registration (WHOIS) record. That is likely to be correct, but some downstream DNS server at a backbone provider or ISP has either got a bad copy of your record, or has been tampered with. The distributed nature of DNS is what makes it sometimes-right sometimes-wrong if that's what's causing your problem.
| 9:48 pm on Feb 19, 2006 (gmt 0)|
Thanks for some good information to check on.
Some of it I've checked and rechecked, but there's some good new things to check too.
I've spent several days of frustration trying to figure this out and it really cuts down on the frustration to have some help and new suggestions to try.
I'll send a link to the forum to my web site host, he's interested in what's happening. I might add that he's by far the best of four different hosts I've had in the past eight years. His support comes in minutes rather than days like it was with my other hosts.
| 10:07 pm on Feb 19, 2006 (gmt 0)|
Late last night we discovered when doing research using inurl:mydomainnamedotcom and spotting a suspect link that a Russian based scammer framed my website in the Serps.
He put up a page above my page (a sub-domain using my domaindotcom then followed by the .ru country code ext) claiming it was a PayPal verification page run by my website and done to stop PayPal Fraud, before giving the credit card number to place an order for my product . If you click it goes to a form asking for your login name and paypal password allegedly to verify your identity.
It appears the domain name com.ru was registered and the scammer was using that domain to make subdomains for the fraud.
God knows if some of my prospects or clients have gone there by mistake and had their PayPal account stolen. This kind of fraud is getting more and more common but what can we do about it?
| 7:50 pm on Feb 20, 2006 (gmt 0)|
Yesterday I was away from my computer for most of the afternoon, but when I did my evening backups, etc. I checked Google the adult site didn't appear. My site had a normal day and I thought the problem might be over. This morning at 530am I checked Google and there was the adult site again.
To Tedster, yes, 1,2, and 3 are correct.
Your next 1. I've checked countless times over the past several days.
2. I've checked for anything that might have been added to my pages and haven't found anything. Several years ago someone hacked in when I had a different host, but they added their own index page that knocked mine out and showed their page. I've checked the whole site to be sure someone hasn't added something.
I have a do it yourself information site, so most of what I have is text and links to items that people may need for their projects.
3. The logs show 1406 referrers for January and 458 so far in February. 31 search engines for January and 30 for February. The server doesn't see the clicks.
I used the Yahoo Site Explorer and everything looks ok. It shows 5,155 in links, so that's going to take a while to check completely.
I tried a ping and tracert from a remote web site and it ended up at a different domain, but my web site host says that's his data center that owns the IP ranges. I used a tracert from a program on my computer and it ends up at my domain.
SamSpade shows the canonical name for my domain as my domain, but my IP as the other domain.
If the search engines have several locations around the country where queries are made it would be easy to see where someone in New Jersey and someone in Washington state could both get results different from someone in Virginia, but if all queries are routed, for example, Google in California, then everyone should get the same results. My host in Virginia still can't duplicate the problem.
DNS seems to be a real logical choice, but between not being too well versed in DNS and my brain synapses snapping in all directions at once from information glut over the past few days I can't get the logic to go in the right direction.
My host said that he will point my IP address to my domain and will move me to a different server.
I may be grasping at straws, but the ropes don't seem to be fastened at the other end yet.
I've checked inurl: and nothing is out of the ordinary there.
The URL of the adult page is IP/site.htm?lng=1&trg=rc. Does anyone know what the code after the IP is? Does it light any lights or ring any bells that might be associated with my problem.
The IP for the adult page is in Belarus Ukraine, but looking at the source gives another domain name. The page is framed, so the domain name is for the source of the adult page. Using the second domain name opens a page identical to the original adult page and the IP for that domain traces to the northeast US and a ISP at the same location.
I really appreciate all the help you're giving. I wouldn't mind if the problem faded off into the sunset, but I'm tenacious, my wife says just plain old stubborn, and I'd like to get the problem and a cure figured out so I can be rid of it and to have ready information for someone else who might have the problem. It would be interesting to know how many people have the problem and don't know it. I probably would still be in the dark if I hadn't been notified by someone else that the problem existed. There doesn't seem to be any indicators except the eratic showing in the search engines.
[edited by: tedster at 3:35 am (utc) on April 10, 2006]
| 6:10 pm on Feb 21, 2006 (gmt 0)|
The url you gave: IP/site.htm?lng=1&trg=rc is insufficient to be of help. We need the full url to give opinions.
To avoid not publishing the url as a link simply use this format /dot/ in front of the ext., which replaces the . to in effect make the link non-clickable to not violate the TOS here, and do not use the http or www which seems to also make it non-clickable in combination with the /dot/ (I think that is OK, Mod's may delete what I said if that's not allowed).
| 9:23 pm on Feb 21, 2006 (gmt 0)|
[edited by: Brett_Tabke at 11:07 pm (utc) on Feb. 21, 2006]
[edit reason] please - no specific sites... [/edit]
| 11:00 pm on Feb 21, 2006 (gmt 0)|
WARNING! WARNING! Do not try to visit that site as I did out of curiosity. My security program immidiately popped up a message that the site was using a Windows htm exploit to attack my computer and luckily blocked it. If you do not have updated security running it could do great harm.
Did Tom56's security manage to block the attacks too? Hope so. This is a good example of why it's actually good this forum does not want url's published (which I now agree with and support).
| 12:02 am on Feb 22, 2006 (gmt 0)|
Sorry about that. It's a good lesson learned.
I use Firefox as my main browser to avoid such things and use Opera, Netscape and Internet Explorer to check my own site in those browsers. I extremely rarely venture from my own site with IE and have security squeezed up so tight on it that it's a nuisance to use, but a necessary evil.
I use ZoneAlarm Pro, ETrust anti-virus and run Adaware, Spybot and Spycatcher regularly and have that little pup from WinPatrol keeping tabs on things.
I'm still curious about the code after the IP address to know if it might have something to do with the hijacking.
| 1:58 pm on Feb 22, 2006 (gmt 0)|
I'm typing this with fingers crossed.
It's over a week since I was notified that the adult site was coming up with the clicks in the search engine links and stats showed that it's apparently been going on for most of February.
Yesterday around noon I checked Google and the adult site didn't come up. I've been breathing gently since then and this morning at 5:30am still no adult site.
I don't know what happened. I'm not going to question it, just enjoy it and hope that they're gone permanently. It's been an experience for learning and has given some new subjects to learn about.
If it comes back I'll post again.
Thank you each for all the help and suggestions you've given.
[edited by: tedster at 3:35 am (utc) on April 10, 2006]
| 3:25 pm on Feb 23, 2006 (gmt 0)|
This is also my first post. I am having the exact same problem as Tom56. This appears to be happening with all of my clients websites and only seems to happen some of the time when visiting the site through a link provided by Google or Yahoo. I have asked my web hosting company to look into this in the hope that they can help with the problem. If I come by any further information in relation to this problem I will post info in this listing. If anyone else has any ideas on how to prevent this from happening I would be very greatful.
Thanks in advance.
| 4:27 pm on Feb 23, 2006 (gmt 0)|
Thanks for bringing this up again, very interesting.
| 4:49 pm on Feb 23, 2006 (gmt 0)|
Tom56, I was wondering if you can tell me if the websites you have this problem with contain iframes? I have been checking all my domains and it appears the only site that this problem does not happen with contains NO iframes. All my other sites contain iframes, and seem to periodically redirect to the Ukraine site you have mentioned.
Thanks in advance.
| 12:25 am on Feb 24, 2006 (gmt 0)|
Do your sites that redirect rank high in the search engines? Maybe higher than the one that doesn't redirect? When one of your sites redirects have you tried clicking several times on the site that doesn't redirect to see if it might redirect?
I don't have any idea how they manage their theft, but the DNS idea sounds most logical.
I kind of wonder if they don't pick sites that rank high in the search engines and possibly have a program that will redirect clicks on links randomly or possibly one out of every 50 or 100 (or other number) clicks on a link based on the site rather than any particular page.
When I checked it would go to the adult site whether it was a number one rank or ranked way below. It would generally redirect at a random number of clicks rather than a set pattern and rarely twice in a row. If they had a set number, such as one out of every 50 clicks it would randomize my clicks, because regular site visitors would be clicking at or about the time I was clicking too.
Quite possibly they only work a site for two or three weeks then move on so that there would be less chance of having someone figure out exactly what they're doing and stop them permanently.
I have unexplained slowdowns in page views periodically, that don't show anything in the stats and I probably wouldn't have known what caused this one if someone hadn't notified me. I check certain keywords and phrases periodically, but I don't generally click on the links. I plan to check the links now if it appears that there is a slowdown problem.
It would help to figure out what's happening if more people who have a problem would contribute information as you did.
[edited by: tedster at 3:36 am (utc) on April 10, 2006]
| 7:37 am on Feb 24, 2006 (gmt 0)|
Thanks for getting back to me. I have checked the site that this was not happening with this morning and the problem is now affecting it too. So the idea of the problem being iframe related seems to be a red herring. I read on a forum for powweb that people were being affected by an issue whereby iframe code was being placed in their index.html files that would download a wmf file expliot to the viewers computer. I know the google/yahoo links for my sites sometimes redirect to a website with the wmf exploit and was wondering if something similar may be the cause. I checked most of my index.html files last night for added code and could not find any. If I have further ideas I will post later.
| 1:08 pm on Feb 25, 2006 (gmt 0)|
I have been looking at this problem for the last 2 days now and I can inform that the problem is now fixed. I noticed that when I changed where one of my websites was hosted the problem disapeared all together. This lead me to believe that the problem was present on my server. By this time the tech support for my server were looking at the problem and later brought the server down to recompile Apache resetting all the settings. They inform me that Apache had been compromised, so the process of resetting and recompiling apache seems to have resolved the problem. I just hope that this does not happen again. It has been a rather embarassing experience. I hope if anyone else has this problem this listing will help point to where the problem exists.
Thanks to all people who have contributed to this listing.
| 8:19 pm on Apr 8, 2006 (gmt 0)|
The adult site was back hijacking links again the last couple of days in March through the first week of April.
My web site host switched me to another server and changed my IP address and that seems to have stopped the links to the adult site.
[edited by: tedster at 8:01 am (utc) on April 9, 2006]
[edit reason] spliced to the orginal topic [/edit]
| 1:50 am on Apr 10, 2006 (gmt 0)|
Let's do something here real quick. Take your current domain and run a DNS Report on it...
Tell us what warnings and/or failures you see (if any). I want to make sure we can either rule out DNS or point to DNS. The above report should give us at least part of the answer, hopefully.
| 4:28 am on Apr 10, 2006 (gmt 0)|
I did the DNS report with the following results
Fail - Open DNS Servers
Warnings for the following:
Nameservers on separate class C's
SOA REFRESH value WARNING: Your SOA REFRESH interval is : 900 seconds.
SOA EXPIRE value WARNING: Your SOA EXPIRE time is : 3600000 seconds.
Mail server host name in greeting
and SPF record
| 12:56 pm on Apr 10, 2006 (gmt 0)|
Fail - Open DNS Servers
That's the one I was expecting to see based on the symptoms you've described. We have a few home page topics here that relate to the DNS Recursion issue (Open DNS Servers).
DNS Recursion - Open DNS Servers
DNS Cache Poisoning
From the Wikipedia
|To perform a cache poisoning attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information. If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries locally and serve them to users that make the same request. |
|This technique can be used to replace arbitrary content for a set of victims with content of an attacker's choosing. For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates fake entries for files on the server he controls with names matching those on the target server. These files could contain malicious content, such as a worm or a virus. A user whose computer has referenced the poisoned DNS server would be tricked into thinking that the content comes from the target server and unknowingly download malicious content. |
I'm just guessing right now based on my research and understanding of DNS Cache Poisoning. The symptoms you describe sure sound like it. You should forward all of the above links to your host. I'd also be looking at the host at this point in time. Are they reputable? Do they host sites that may attract this type of technical foul play? If so, a move might be in order. Is your site on a Shared IP or Dedicated IP. If it is on a Shared IP, there's a good chance that everyone else on that IP is under the same attack.
If it is happening to you, there is a good chance it is happening to others on the same network where DNS Recursion is happening.
P.S. They (your host) should also correct the other Warnings if possible. Actually, most are fairly simple to correct...
- SOA REFRESH value WARNING: Your SOA REFRESH interval is : 900 seconds.
- SOA EXPIRE value WARNING: Your SOA EXPIRE time is : 3600000 seconds.
- Mail server host name in greeting
- SPF record
This one below should be corrected if at all possible. If not, it is not a major issue, just a warning like the others above. But, read the Warnings that are presented along with the description of what could happen if they are not corrected. Then you can determine which ones need to be addressed. Actually, your host is responsible for all of this.
Nameservers on separate class C's
| 1:13 pm on Apr 10, 2006 (gmt 0)|
For all of you following this topic, I would strongly suggest that you run a DNS Report on your domain and make sure that there are no failures such as the Open DNS Servers. This issue with DNS Cache Poisoning is a serious one and can affect every single one of us where our sites are hosted on servers that allow for DNS Recursion.
If your host gripes one bit about this, it's time to change. Get out of there quickly before you come under the same type of attack or even worse, a DNS DoS Attack which will bring that server down in a heartbeat.
|I find it quite interesting and surprising posts (like this thread and a few others) about the issue of scammers stealing your traffic and revenue by framing your site get such poor response in the forums. |
No, they don't get a poor response. They just need to be seen by the right people. Many don't understand what may be happening here. I didn't until I decided to get involved with search engine marketing from the server side (the technical aspects).
|This indicates to me (A) I am wrong in being a common problem. |
It's not common yet because many don't know that it is happening.
|(B) Similar to websites who get attacked, no one wants to talk about it and admit they have also had it happen. |
That one is plausible. ;)
|(C) A good possibility is hardly anyone knows this is even happening to their sites! |
I'm going to go with C.
| 2:25 pm on Apr 10, 2006 (gmt 0)|
Move hosts is the simplest way in the long run to beat this.Your host has been compromised.
| 3:00 pm on Apr 10, 2006 (gmt 0)|
fascinating, guys. quality information here that's all i can say
| 3:20 pm on Apr 10, 2006 (gmt 0)|
Pageoneresults - your the man! Tom56, mystery solved or what?
| 3:30 pm on Apr 10, 2006 (gmt 0)|
|Pageoneresults - your the man! |
Not yet, but thank you for your compliments.
This is just one of many issues that Tom56 may be faced with. His symptoms lead me to believe that the DNS Recursion is the issue.
| This 58 message thread spans 2 pages: 58 (  2 ) > > |