Jump to content


Photo

Google Search Link Going To Another Site


  • Please log in to reply
5 replies to this topic

#1 slick

slick

    Family Friend

  • Members
  • PipPip
  • 57 posts

Posted 04 May 2009 - 01:29 PM

Hi.

I have a website hosted at TCH.
The domain name is trini-chat dot com.

I've noticed lately that sometimes when I do a search for my site on Google and I click on the link it goes directly to another domain (http://europpc dot com/search.php?iw=1&links=trini+chat) and then that redirects to another site that Firefox deems dangerous.

Any ideas what may be causing this?

Thanks.

#2 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 04 May 2009 - 09:49 PM

Look in your /public_html/.htaccess file for RewriteCond code that mentions search engine names and RewriteRule code that mentions names of sites other than yours, such as the europc site, or possibly a site that is identified only by IP address.

If you find code like this, it is a common symptom of sites that have been compromised. When visitors go to your site from search engine results, they get redirected to the malicious site. If they go straight to your site, they don't get redirected.

The .htaccess file would most likely have been changed by a malicious PHP script that the hacker "tricked" one of your .php web pages into running.

It looks like many of your pages use input (query string) parameters such as "?name=Forums". When your script receives data by this way, it is important that it checks it carefully to guard against something called "remote file inclusion" <- a term to do a web search on.

For example, if someone calls your page with ....filename.php?name=hxxp://someothersite.com/maliciousscript.txt, then your site, if your PHP code doesn't guard against it, will retrieve the malicious script and run it. You have to ensure that incoming values of "name" are only acted upon if they are legitimate values that you expect. Otherwise, the incoming data should be ignored.

The above is the most common reason for this type of redirection.

-----

It looks like you are using FlashChat. Look it up at http://secunia.com/advisories/search/. I know it has had some security vulnerabilities in the past, but I don't recall which ones or whether they are of a type that would be relevant to your current problem.

Edited by SteveW, 04 May 2009 - 09:49 PM.


#3 slick

slick

    Family Friend

  • Members
  • PipPip
  • 57 posts

Posted 10 May 2009 - 01:35 AM

.htaccess file is clean but there seems to be some strange code on the index page as well as a few other pages

#4 TCH-Thomas

TCH-Thomas

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 14,908 posts

Posted 10 May 2009 - 02:33 AM

I would ask the help desk to check if the account has been compromised and as usual change the password to the account (a strong as possible password).

As for the strange code, I would either clean it out myself or ask the help desk if its something they can help me with, then publish the file again and see if everything works as expected.

Thomas Jikrantz
Forum Moderator
TotalChoice Hosting, Inc.

Any links or suggestions for third party software/sites should be used at your own risk. My opinions and recommendations are not necessary those of TCH and TCH is not responsible.

As a Forum Moderator I can assist in answering many of your hosting related questions. However, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.
Web Hosting by Total Choice Web Hosting - 24/7 Help Desk


#5 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 10 May 2009 - 03:23 AM

Also see Secunia about PHPNuke http://secunia.com/a...?search=phpnuke. There was a new vulnerability found a couple of months ago. It is an "SQL injection" vulnerability that allows outsiders to inject data into a MySQL database.

If you look in the text of your static code pages on the server and don't find the malicious code in the page, it could be that it's stored in the database and being retrieved by whatever process is getting data out of the db to build the output page.

It's important to keep all scripts updated to their latest versions.

#6 JTD

JTD

    Immediate Family

  • Members
  • PipPipPipPip
  • 245 posts

Posted 10 May 2009 - 09:22 PM

I would personally change nuke scripts. I will PM you a site that has a VERY secure nuke script that i personally have used.
Truck Driver and Proud of It

Phantom309Drivers




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users