Jump to content
slick

Google Search Link Going To Another Site

Recommended Posts

Hi.

 

I have a website hosted at TCH.

The domain name is trini-chat dot com.

 

I've noticed lately that sometimes when I do a search for my site on Google and I click on the link it goes directly to another domain (http://europpc dot com/search.php?iw=1&links=trini+chat) and then that redirects to another site that Firefox deems dangerous.

 

Any ideas what may be causing this?

 

Thanks.

Share this post


Link to post
Share on other sites

Look in your /public_html/.htaccess file for RewriteCond code that mentions search engine names and RewriteRule code that mentions names of sites other than yours, such as the europc site, or possibly a site that is identified only by IP address.

 

If you find code like this, it is a common symptom of sites that have been compromised. When visitors go to your site from search engine results, they get redirected to the malicious site. If they go straight to your site, they don't get redirected.

 

The .htaccess file would most likely have been changed by a malicious PHP script that the hacker "tricked" one of your .php web pages into running.

 

It looks like many of your pages use input (query string) parameters such as "?name=Forums". When your script receives data by this way, it is important that it checks it carefully to guard against something called "remote file inclusion" <- a term to do a web search on.

 

For example, if someone calls your page with ....filename.php?name=hxxp://someothersite.com/maliciousscript.txt, then your site, if your PHP code doesn't guard against it, will retrieve the malicious script and run it. You have to ensure that incoming values of "name" are only acted upon if they are legitimate values that you expect. Otherwise, the incoming data should be ignored.

 

The above is the most common reason for this type of redirection.

 

-----

 

It looks like you are using FlashChat. Look it up at http://secunia.com/advisories/search/. I know it has had some security vulnerabilities in the past, but I don't recall which ones or whether they are of a type that would be relevant to your current problem.

Edited by SteveW

Share this post


Link to post
Share on other sites

.htaccess file is clean but there seems to be some strange code on the index page as well as a few other pages

Share this post


Link to post
Share on other sites

I would ask the help desk to check if the account has been compromised and as usual change the password to the account (a strong as possible password).

 

As for the strange code, I would either clean it out myself or ask the help desk if its something they can help me with, then publish the file again and see if everything works as expected.

Share this post


Link to post
Share on other sites

Also see Secunia about PHPNuke http://secunia.com/advisories/search/?search=phpnuke. There was a new vulnerability found a couple of months ago. It is an "SQL injection" vulnerability that allows outsiders to inject data into a MySQL database.

 

If you look in the text of your static code pages on the server and don't find the malicious code in the page, it could be that it's stored in the database and being retrieved by whatever process is getting data out of the db to build the output page.

 

It's important to keep all scripts updated to their latest versions.

Share this post


Link to post
Share on other sites

I would personally change nuke scripts. I will PM you a site that has a VERY secure nuke script that i personally have used.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×