| All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | denzel240z | 12/12/10 9:15 PM | I have read the FAQs and checked for similar issues: YES / NO My site's URL (web address) is: http://www.degembris.co.uk Description (including timeline of any changes made): The problem mentioned above was noticed approx 13/12/10 2am. I have not made any |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Autocrat | 12/13/10 12:44 AM | Just incase - can we clarify? Are you sayying that when you try to visit 1 of your pages, you end up at Google? Is this when you search ing Gogole,, see youtr site, click the link? Is this when you manually type in the address? |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Autocrat | 12/13/10 12:45 AM | http://84f6a4eef61784b33e4acbd32c8fdd72.com/ Is an inactive server account? No website is showing there at all. |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | wadjei | 12/13/10 2:34 AM | Your website has likely been compromised. Some pages may have had javascript inserted at the top of the page that redirects to a random page on http://84f6a4eef61784b33e4acbd32c8fdd72.com and/or you may have had .htaccess files inserted into every di |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | denzel240z | 12/13/10 4:58 AM | You lovely people! Thank you Autcrat and Wadjei so much for your replys and apologies for not responding sooner ... hectic morning! Also, I have just had a reply from my hosting people with the same answer. I have discovered .htaccess files in almost |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Autocrat | 12/13/10 6:15 AM | Damned fine job by ...wadjei... :D As well as altering the passwords etc. - make sure your PC is clean! (quite often things like FTP programs etc. are part of the problem) |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | denzel240z | 12/13/10 6:59 AM | Re: PC clean Will do Many thanks |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | pristine1 | 12/20/10 4:14 AM | We had this same attack twice, 8 days apart - I thought we'd sorted it out first time round but clearly not as they struck again this morning. At least this time round I knew what the cause was - we'd only just about got ourselves back to normal afte |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Autocrat | 12/20/10 4:17 AM | Well - if you shut down the access (make relevant files 755, 600, 444 or whatever), then that should stop external access cmopeltely. You can also tell the server to Not run scripts in certain locations etc. That should offer al ittle more protection |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Mrio | 12/20/10 5:56 AM | Yes! We are also the victim of this attack. I'm currently scanning the whole system that links to that site (eg. grep 84f6a4eef61784b33e4acbd32c8fdd72). As of now if found that my whole magento folder and /var/log/mysql_replication/ is infected with |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Chrisdgreen | 12/20/10 9:05 AM | We have deleted the phpmyadmin but the htaccess files are still regenerating, not sure from where, yet. |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | pristine1 | 12/20/10 9:18 AM | I found a file called Class.php in the public_html root directory that didn't come from me. I tried to open it locally and it was immediately picked up as a virus by MS Security Essentials. I've now deleted it from our server. Not sure whether this i |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | crush_andy | 12/20/10 9:49 AM | Has anyone been able to track where the source file is generated from ? |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Autocrat | 12/20/10 10:07 AM | Can I make a suggestion folk? We have a Malware/Hacked group. It's blessed with the presenence of ...Dennis... - who happens to have built the parasite site... ... why not post in there the details you can find ... he may already have figured this o |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | pristine1 | 12/20/10 10:14 AM | I think people have found their way here as the only discussion ongoing (via Google search) for this problem - that's certainly how I arrived here. Right now the .htaccess files are arriving faster than I can delete them and I still can't figure out |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | crush_andy | 12/20/10 10:38 AM | Autocrat what is the URL for the Malware/Hacked group, I can't find it on google groups. Is anyone else suffering for this script regenerating after deletion ? |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | ghvoda | 12/20/10 10:56 AM | Yes. It seems to be a script somewhere on server. Does anybody knows where can be that script? |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | pristine1 | 12/20/10 11:49 AM | Just an idea for now: Whatever is generating the .htaccess files seems to do so when it detects that one (or more?) has been deleted - this then appears to trigger the mystery script. I'm wondering if it checks for specific content, or merely the pr |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | zsygab | 12/20/10 11:53 AM | Hey guys! I'm currently experimenting the same problem... A shameless folk / group of shameless folks are playing with our server... They are creating .htaccess files in the writeable directories, even if they have set the permissions as: 0774. (so e |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Autocrat | 12/20/10 11:57 AM | ??? "... Autocrat what is the URL for the Malware/Hacked group, I can't find it on google groups. ..." ??? http://www.google.com/support/forum/p/Webmasters?hl=en Listed in that lot :D |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | pristine1 | 12/20/10 12:11 PM | So much for my bright idea - no luck... :-( |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Thoreau | 12/20/10 12:40 PM | I posted something about my same problem on the Malware group here - http://www.google.com/support/forum/p/Webmasters/thread?tid=6064dab9e288d60f&hl=en - hopefully we will get an answer here. |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Thoreau | 12/20/10 4:20 PM | I have a temporary solution until something is found that will take the malware off the server. So far it is working on my site. Pristine1's attempt helped my server company and me think of an idea. The person whos site is being hacked will need the |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | ddi82 | 12/20/10 11:26 PM | i found solution, this hack was made by this exploit of phpMyAdmin http://forum.hackforce.ru/showthread.php?t=444 delete the files from PMA folder - /scripts/setup.php and REBOOT Apache after deletion file!!!! i am done, my VPS server again alive! |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | Autocrat | 12/21/10 3:00 AM | Well I hope that is the issue and the solution! Let us know peoples :D |
| Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php? | WojtekG | 12/25/10 3:59 PM |