Download the Live HTTP Headers extension for FireFox and check the server response when loading your page. This will tell you something about the mechanism used to redirect the page.

Check your page for JavaScript or PHP script hacks, especially if these scripts are external.

Then provide as much information as you can about what you find.

In the meantime, change all of your server passwords -- Control panel, PHPadmin, FTP, MySQL, and anything else.

Jim

I found
"Install version 0.13.1 of LiveHTTPHeaders now" on livehttpheaders but it is a xpi file and opens in notpad as ASCII text.

What to do?

Juergen

It will only work with Mozilla browsers. If you're using Firefox, Mozilla Suite, Netscape, or SeaMonkey, it should just auto-install, since .xpi files are handled internally by these browsers.

If not, right-click-download the file to disk, and then drag its icon into the browser window and drop it. This should activate the install dialog.

Jim

I did it but could not find any strangeness.

here is the content:
http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank
&client=navclient-auto-tbff&encver=1&nonce=-1674984153&wrkey=MTq2cZ8UMqgLkgPsQsUZl7LW
&encparams=4PFMSiaOFFQbwMpHXJxakLFKwSjGhYWY0wh89mLW5obHpMBhfjhXT5bHjNA=

GET /safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank
&client=navclient-auto-tbff&encver=1&nonce=-1674984153&wrkey=MTq2cZ8UMqgLkgPsQsUZl7LW
&encparams=4PFMSiaOFFQbwMpHXJxakLFKwSjGhYWY0wh89mLW5obHpMBhfjhXT5bHjNA= HTTP/1.1
Host: sb.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PREF=ID=e35074e368bc7cff:TB=2:TM=1160584281:LM=1160584281:S=pq6AyYjziOYQ3g_-

HTTP/1.x 200 OK
Content-Type: text/plain
Server: TrustRank Frontend
Content-Length: 0
Date: Tue, 19 Dec 2006 19:21:54 GMT
----------------------------------------------------------

[edited by: jdMorgan at 7:33 pm (utc) on Dec. 19, 2006]
[edit reason] Fix side-scroll, de-link URL [/edit]

All that is showing is a request to Google's anti-phishing service, probably as a function of the Google Toolbar, since you're using a badly-outdated version of Firefox that does not have the anti-phishing feature built-in.

As such, it doesn't tell us much.

What did you find on review of your scripts as mentioned in my first reply? Or are there any scripts on your home page?

Please post a lot more information about what you are doing and what you find. Otherwise, this will take much longer to figure out. Our chances of "guessing" the correct problem and the correct solution without information are essentially zero.

Jim

I updated to Firefox 1.5.0.8 and now I found the lines with the spam site:

http://www.example.com/goto.php

GET /goto.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate

[edited by: jdMorgan at 8:37 pm (utc) on Dec. 19, 2006]
[edit reason] example.com [/edit]

It seems that there is an issue with the DNS.
I read in wikipedia an article about Pharming.

My hosting company made some changes in the DNS server and now I've to wait until the cache is creared.

In the meantime I made a redirect in .htaccess from index.htm to home.htm and this works fine.

Thank you for your help.

I'm impressed how one gets help in this forum.

Juergen

It seems that there is an issue with the DNS. I read in wikipedia an article about Pharming. My hosting company made some changes in the DNS server and now I've to wait until the cache is creared.

There are many of us here who would be extremely interested in the details of what happened!

I flagged this topic when I first saw it. I knew it was going to come down to a DNS issue. ;)

Glad you got it fixed.

Now you need to figure out what was changed and how it was changed, and make sure that your host prevents this from happening again.

Be aware that the current version of Firefox is Firefox/2.0 [mozilla.com]

Jim

The problem is solved!

Viewers can submit customer reviews on my Drupal CMS site.
New submitted reviews will be shown on the home page.
Created pages allow java script by default.
The spammer added a java script with a link to a php script on the spammer site. This script redirected the home page.

It's very simple but with huge effect.

Juergen

You'll need to filter user-generated content to forbid posting any JavaScript, PHP, or even HTML code. I suspect that this may even be a built-in option, but I'm not a Drupal user, so you may have to dig into the documentation to find out how to do it.

Simple methods include removing or replacing characters like "<" and ">" and other characters and character sequences commonly used in HTML and scripting languages.

Any site that allows user-generated content without such filtering will be hacked constantly.

Jim

Yes, Drupal has filter options.

I've already set filters.