Welcome to WebmasterWorld Guest from

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

Trying to trap me into clicking on a hijacker from logs?!

might be webmaster-targeted...

5:38 am on Dec 1, 2003 (gmt 0)

New User

10+ Year Member

joined:Nov 19, 2003
votes: 0

I've been scanning & analyzing my logs rather obsessively since Google update Florida, when I noticed a new referrer website. Curious, I clicked on the referrer to see if it was going to do me any good...when it switched me over to a website that started downloading UCsearch.cab - a nasty hijacker (backdoor trojan).

Since the name of the referrer website was very closely related to my website product, and a page from my website was called up from that location I have to wonder if it was a targeted attack. That they meant for me to find it, click, and let them into my business PC. There was no actual link to my website on the page.

I checked the page via Google cache and found it to be a page of mish-mash phrases and links. The domain seems to have expired over the last year, with the nasty trojan-guys picking it up to bring in "customers". It actually moves you to another page with the trojan download on it.

I'd love to paste the logfile portion & the name of the website it goes to, but I don't want to violate any rules. Needless to say, it ruined my evening!

So...has this logfile trap happened to anyone else?

3:25 pm on Dec 1, 2003 (gmt 0)

New User

10+ Year Member

joined:Aug 6, 2003
votes: 0

Now that's a nasty way to be woken up in the evening. I'm glad you figured it out before your machines and the server had been compromised as planned. Not to ignite any zealotry here but episodes like this one are yet another reason why I'm sticking with my 2 percenter OS...

Anyway, I assume that you've reported the site to their provider? ...at least try to shut the thing down before someone less vigilant than you has their day(s) ruined.

4:35 pm on Dec 1, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:July 14, 2003
votes: 0

LaBonne, I can't say that I've ever seen someone try to infect someone's PC this way, but I'm not surprised. Faking referrers and visiting other sites is a form of log spam. If you search here or Google for webmasterworld log spam you may find someone who's encountered a similar tactic to infect a PC.
5:11 pm on Dec 1, 2003 (gmt 0)

New User

10+ Year Member

joined:Nov 19, 2003
votes: 0


Actually I did catch the thing. Having only dialup, I clicked, heated something for dinner, and came back to find a strange download. Felt stupid, then tracked the bugger down & killed it.

At least now I know how to find other instances in WW! I have been tracking down the provider as best as I can & doing some informing...

12:31 pm on Dec 7, 2003 (gmt 0)

Moderator from AU 

WebmasterWorld Administrator anallawalla is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 3, 2003
votes: 20

There is an opinionated SEO who left me a juicy URL to click (something like www.dodgyseo.com/?juicy_string). I did not give him the satisfaction but manually checked out his site.

There is a lot of this going on (including the kind you mentioned).

1:16 pm on Dec 7, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 11, 2001
votes: 0

I guess that's why when checking links via logs, I do it in "paranoid" mode. Firebird + proxomitron, with JS,Activex,jav,referrers turned off. Ocasionally with proxy to mask ip addressess

It won't stop them from learning that you visited the site if it's a specially prepared url for you, but that can't be helped.


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members