My Google results are being hacked.
November 25, 2012 10:21 AM Subscribe
Somehow my website's Google results are redirecting to another location.
If you type in this website right into the url, you get the proper website. The Rock Delusion
But if you Google for the site, type in The Rock Delusion into Google search, it redirects to some hacked location. Why website doesn't appear to be hacked, nor my hosting. But I can't seem to figure out where or how this is happening. And it is not only this one site, but a few others as well.
1and1.com hosting and the sites are all Joomla created sites, if that matters.
Thanks.
If you type in this website right into the url, you get the proper website. The Rock Delusion
But if you Google for the site, type in The Rock Delusion into Google search, it redirects to some hacked location. Why website doesn't appear to be hacked, nor my hosting. But I can't seem to figure out where or how this is happening. And it is not only this one site, but a few others as well.
1and1.com hosting and the sites are all Joomla created sites, if that matters.
Thanks.
Check the .htaccess file(s): probably an injection with something that checks for the Google referrer.
But also assume that your sites are compromised, can be popped again until you work out the cause, and that whatever injected the .htaccess may have injected other parts of the sites, including the database.
posted by holgate at 10:30 AM on November 25, 2012 [2 favorites]
But also assume that your sites are compromised, can be popped again until you work out the cause, and that whatever injected the .htaccess may have injected other parts of the sites, including the database.
posted by holgate at 10:30 AM on November 25, 2012 [2 favorites]
There are a number of malwares that redirect google search results to earn scammers ad revenue. Some do it to all of results on every search and some do it on random intervals. My wife's work computer has this problem and i have tried every possible virus and malware scanner and come up with nothing.
Very frustrating.
posted by srboisvert at 10:32 AM on November 25, 2012
Very frustrating.
posted by srboisvert at 10:32 AM on November 25, 2012
BTW I got to your site by both methods. Are you sure it isn't just your computer (s)?
posted by srboisvert at 10:34 AM on November 25, 2012
posted by srboisvert at 10:34 AM on November 25, 2012
I Googled. Clicking the link takes me to: http://forbidden.4pu.com/
posted by run"monty at 10:37 AM on November 25, 2012 [1 favorite]
posted by run"monty at 10:37 AM on November 25, 2012 [1 favorite]
There is something wrong with the site that is checking the referer (sic) header and redirecting when it resembles a google-search result:
Searching for "joomla redirect dumb1.com" gives this result: http://blog.aw-snap.info/2011/01/redirect-to-malicious-site.html which suggests there will be some obfuscated php doing the bad stuff. Search over the code for 'eval'
posted by gregjones at 10:40 AM on November 25, 2012 [2 favorites]
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, compress
Host: www.therockdelusion.com
Referer: google./url?sa
User-Agent: HTTPie/0.3.0
HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Content-Type: text/html
Date: Sun, 25 Nov 2012 18:32:56 GMT
Location: http://unokesyh.dumb1.com/
Server: Apache
X-Powered-By: PHP/5.2.17
Searching for "joomla redirect dumb1.com" gives this result: http://blog.aw-snap.info/2011/01/redirect-to-malicious-site.html which suggests there will be some obfuscated php doing the bad stuff. Search over the code for 'eval'
posted by gregjones at 10:40 AM on November 25, 2012 [2 favorites]
Yah, gregjones has it. You're right, this is happening.
People can inject this kind of malware into CMS's like Joomla and Wordpress. I have NO IDEA how we fixed it when something like this happened to us, but I remember it being ugly. (The first steps, though, usually being to update the CMS.)
posted by RJ Reynolds at 10:42 AM on November 25, 2012
People can inject this kind of malware into CMS's like Joomla and Wordpress. I have NO IDEA how we fixed it when something like this happened to us, but I remember it being ugly. (The first steps, though, usually being to update the CMS.)
posted by RJ Reynolds at 10:42 AM on November 25, 2012
I'm getting the same result as run"monty, when I go via the Google search link.
I'm guessing it's Google's own redirect script messing up. I really wish Google would stop adding all of that tracking crap to URLs.
posted by Thorzdad at 10:42 AM on November 25, 2012
I'm guessing it's Google's own redirect script messing up. I really wish Google would stop adding all of that tracking crap to URLs.
posted by Thorzdad at 10:42 AM on November 25, 2012
I've seen hackers who own a whole box do stuff like this to the Apache instance on the machine. It sounds like that's easy to test in your case. Move an entire site folder aside for a moment, create a new folder there, and drop in a "Hello World" index.php. Hit the site from the Google link a few times. If it ever redirects, then the webserver is hacked. If it doesn't, your site is hacked.
posted by Monsieur Caution at 10:44 AM on November 25, 2012
posted by Monsieur Caution at 10:44 AM on November 25, 2012
I get redirected to the 4pu place too. You might find http://productforums.google.com/forum/#!topic/webmasters/dCy1ctI_ZCM helpful
posted by Hartham's Hugging Robots at 12:29 PM on November 25, 2012
posted by Hartham's Hugging Robots at 12:29 PM on November 25, 2012
I've seen this exact thing happen to a Drupal site. The hacker was somehow able to edit the .htaccess file in the webroot to direct users that are coming from google to a different site. I removed the offending lines there, updated the CMS, and contacted the hosting service.
posted by scottatdrake at 1:36 PM on November 25, 2012
posted by scottatdrake at 1:36 PM on November 25, 2012
This thread is closed to new comments.
posted by roboton666 at 10:29 AM on November 25, 2012