Welcome to WebmasterWorld Guest from 18.104.22.168
It only does it on this one address. What's going on with that?
Compare the index file to that of an archived version.
Please help the technically challenged.
Does that mean whoever loaded the home page on the server unknowingly uploaded a virus
No, it means that someone hacked into your server to infect the files there. Get your tech people to find and replace the bad files, and to upgrade whatever software is running on the server to the newest versions.
Since site owners generally type their domain name in directly, they see the unmodified page and think 'what's the problem?'. Everyone else meanwhile is seeing some other page.
In particular, many of these domains are being promoted purely to "sell" you anti-virus software which is actually anti-anti-virus software and WILL infect your machine, if it hasn't done so already by exploiting holes in your browsing software.
[edited by: tedster at 8:59 pm (utc) on Nov. 7, 2008]
dstiles: That sounds right too. I remember I encountered this once looking for a government site. The government site had the .gov extention, and the spoofed site had the same address with the .com extention.
I think this problem is in its last days.
Thanks to everyone who helped.
I don't understand how that works:
- if I type the url it works OK
- if I go there from a link (absolute link from another page I control) it works OK
- cut + paste from the Google result page is OK
- go to the Google cached page is OK and also clicking the link from there works OK
- but clicking in the Google result page sends to the hijacking site
- same with other search engines
- and seems also from yahoo newsgroups pages (the post was a simple text message)
My website is hosted by a provider. I don't control the server. I checked all my pages. These are html, a css, some simple php, no other scripting of any kind. Everything seems to be fine. Don't know how to proceed. Should I contact the provider? Is it a server problem? Is it a known attack on the server machine? Any suggestion on what should I ask them?
Yes, this sounds like your server may have been compromised. The script that was most likely injected looks at the referrer for the request - the address of the page that held the link - and it only redirects the visitor if that referrer is a search engine result. In your case, the Yahoo newsgroup example sounds like it's only looking for the domain name in the referrer string.
There are two areas to address -- patching the server so that it is more secure (using the most up-to-date versions of all applications) and removing the affected files.
Depending on the level of support your provider gives, this might be a challenge. It's bad news for your web host and they may not be quick to accept the message. But don't give up on it - press for full communication. Show them what is going on - don't just describe it, demonstrate it. That should prove to them that there is a problem and get you some cooperation.
In the worst case you may need to move to a different server and upload all fresh files. But start by assuming that you will get full cooperation.
Wish these attacks were more known. I would have been checking .htaccess earlier.
[edited by: tedster at 1:29 am (utc) on Nov. 20, 2008]