Home page hijack from Google search result click?

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Home page hijack from Google search result click?

Adam5000

10:28 pm on Nov 6, 2008 (gmt 0)

A friend of mine asked me to have a look at his site. I almost knew the address of but not quite. So I googled it as close as I could, and it came up in the search. That's a good thing. But when I clicked on the link, I got someone trying to sell me an antivirus program. First there was a small box in the center of the screen that said something to the effect of, is your computer running slow, click here to buy our antivirus software. It doesn't do it on links to other addresses, just the one I was looking for.

It only does it on this one address. What's going on with that?

tedster

12:50 am on Nov 7, 2008 (gmt 0)

There are several possible reasons for the problem - on your local computer, or on your server, or with the DNS cache, or with Google. The first thing you need to do is verify what url is actually in the Google search results source code.

Adam5000

1:45 pm on Nov 7, 2008 (gmt 0)

I checked the Google search results source code, and the link looks good. I copied and pasted it into the address line on my browser (IE7) and it worked (it took me to the home page of the site).

gawnd

2:42 pm on Nov 7, 2008 (gmt 0)

I had this same thing happen to one of my sites running an old version of SMF. Someone was able to sign up and exploit a vulnerability to alter the index page. They did it so only visitors referred from Google would be redirected - I assume to avoid me, the site owner, noticing.

Compare the index file to that of an archived version.

Adam5000

6:19 pm on Nov 7, 2008 (gmt 0)

I tried searching on other search engines and the same thing happened. It's not just a Google thing, but I see where it could be and it sounds like something similar. And whatever it is, it's making the resident shield part of my virus scanner throw a fit. Every time I click on the search result I get a message that says "Accessed file is infected." Does that mean whoever loaded the home page on the server unknowingly uploaded a virus with it? And what can be done about it.

Please help the technically challenged.

tedster

7:23 pm on Nov 7, 2008 (gmt 0)

Does that mean whoever loaded the home page on the server unknowingly uploaded a virus

No, it means that someone hacked into your server to infect the files there. Get your tech people to find and replace the bad files, and to upgrade whatever software is running on the server to the newest versions.

wheel

7:26 pm on Nov 7, 2008 (gmt 0)

I saw this on someone's site once. Try looking at the source code of the page to see if it's got some nasty javascript in it. Basically what they do is if you come in from a search engine referral, you see one page. If you come in directly, you see another.

Since site owners generally type their domain name in directly, they see the unmodified page and think 'what's the problem?'. Everyone else meanwhile is seeing some other page.

dstiles

8:32 pm on Nov 7, 2008 (gmt 0)

It's not only hacked sites. There are a lot of spoofed domains being pushed to google, ones that LOOK like they are genuine but aren't. Eg: lloyds could have one or two digits instead of letters. This is big business in the spamming/virus world.

In particular, many of these domains are being promoted purely to "sell" you anti-virus software which is actually anti-anti-virus software and WILL infect your machine, if it hasn't done so already by exploiting holes in your browsing software.

[edited by: tedster at 8:59 pm (utc) on Nov. 7, 2008]

Adam5000

10:23 pm on Nov 11, 2008 (gmt 0)

tedster: That sounds right and I'll see that they're contacted. It's probably effecting (or is it affecting) several other sites as well. Whoever put it there is basically hijacking the traffic going to other sites and detouring them to his place. And then using scare tactics to sell his scanner.

dstiles: That sounds right too. I remember I encountered this once looking for a government site. The government site had the .gov extention, and the spoofed site had the same address with the .com extention.

I think this problem is in its last days.

Thanks to everyone who helped.

marco2008

6:12 pm on Nov 19, 2008 (gmt 0)

Did you find out what was the problem?

I don't understand how that works:
- if I type the url it works OK
- if I go there from a link (absolute link from another page I control) it works OK
- cut + paste from the Google result page is OK
- go to the Google cached page is OK and also clicking the link from there works OK
- but clicking in the Google result page sends to the hijacking site
- same with other search engines
- and seems also from yahoo newsgroups pages (the post was a simple text message)

My website is hosted by a provider. I don't control the server. I checked all my pages. These are html, a css, some simple php, no other scripting of any kind. Everything seems to be fine. Don't know how to proceed. Should I contact the provider? Is it a server problem? Is it a known attack on the server machine? Any suggestion on what should I ask them?

tedster

6:33 pm on Nov 19, 2008 (gmt 0)

Hello marco, and welcome to the forums.

Yes, this sounds like your server may have been compromised. The script that was most likely injected looks at the referrer for the request - the address of the page that held the link - and it only redirects the visitor if that referrer is a search engine result. In your case, the Yahoo newsgroup example sounds like it's only looking for the domain name in the referrer string.

There are two areas to address -- patching the server so that it is more secure (using the most up-to-date versions of all applications) and removing the affected files.

Depending on the level of support your provider gives, this might be a challenge. It's bad news for your web host and they may not be quick to accept the message. But don't give up on it - press for full communication. Show them what is going on - don't just describe it, demonstrate it. That should prove to them that there is a problem and get you some cooperation.

In the worst case you may need to move to a different server and upload all fresh files. But start by assuming that you will get full cooperation.

marco2008

12:48 am on Nov 20, 2008 (gmt 0)

I found the problem with the help of the provider. Someone hacked my .htaccess file. I was not seeing it in my ftp browser (hiding system files) and did not think of checking it (I never put one there).

Wish these attacks were more known. I would have been checking .htaccess earlier.

[edited by: tedster at 1:29 am (utc) on Nov. 20, 2008]

tedster

1:31 am on Nov 20, 2008 (gmt 0)

You're half way there. Now your provider nees to patch the application that allowed the hack to take place in the first place.

johnnie

1:56 am on Nov 20, 2008 (gmt 0)

Maybe your PC is infected with malware?

tedster

2:59 am on Nov 20, 2008 (gmt 0)

Always worth a check, Johnnie, but in these cases the hijack had different symptoms and turned out to be a hacked server issue.