Re: All pages on my website keep being replaced by Goole's homepage. Eg: http://84f6a4eef61784b33e4acbd32c8fdd72.com/go.php?
Dec 13, 2010 2:34 AM
Posted in group:
Malware & hacked sites
Check your files, check security of any tools that you have on your site and do some cleaning up.
Other interesting points - that domain name is the MD5 hash of the word 'antivirus'. The hack on our server appends the IP address of the site's visitor to another random hash, which redirects to go.php. go.php probably does something like log the visitor's IP address - it doesn't appear to do anything else to the visitor apart from generating another redirect to 22.214.171.124 with some obfuscated parameters. This script must do something with those parameters (it's not clear what though) before issuing a redirect to google.com, which is what you see as the end result.
The affected site was compromised at 03:05 GMT on Sunday 12th December. Does this tie in with what happened to you?
It's possible that this was a buggy test run (I have no idea why logging the IP address of a visitor would be useful for an attacker for example - I'd have thought logging the IP address of the compromised server would be more useful). I've been able to find no real mention apart from this of this posts and rainbow tables linking the hash to the word "antivirus"