My Google results are being hacked.
November 25, 2012 10:21 AM   Subscribe

Somehow my website's Google results are redirecting to another location.

If you type in this website right into the url, you get the proper website. The Rock Delusion

But if you Google for the site, type in The Rock Delusion into Google search, it redirects to some hacked location. Why website doesn't appear to be hacked, nor my hosting. But I can't seem to figure out where or how this is happening. And it is not only this one site, but a few others as well.

1and1.com hosting and the sites are all Joomla created sites, if that matters.

Thanks.
posted by wile e to Computers & Internet (12 answers total) 2 users marked this as a favorite
 
Works for me on an iPhone using google search in the phone browser.
posted by roboton666 at 10:29 AM on November 25, 2012


Check the .htaccess file(s): probably an injection with something that checks for the Google referrer.

But also assume that your sites are compromised, can be popped again until you work out the cause, and that whatever injected the .htaccess may have injected other parts of the sites, including the database.
posted by holgate at 10:30 AM on November 25, 2012 [2 favorites]


There are a number of malwares that redirect google search results to earn scammers ad revenue. Some do it to all of results on every search and some do it on random intervals. My wife's work computer has this problem and i have tried every possible virus and malware scanner and come up with nothing.

Very frustrating.
posted by srboisvert at 10:32 AM on November 25, 2012


BTW I got to your site by both methods. Are you sure it isn't just your computer (s)?
posted by srboisvert at 10:34 AM on November 25, 2012


I Googled. Clicking the link takes me to: http://forbidden.4pu.com/
posted by run"monty at 10:37 AM on November 25, 2012 [1 favorite]


There is something wrong with the site that is checking the referer (sic) header and redirecting when it resembles a google-search result:


GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, compress
Host: www.therockdelusion.com
Referer: google./url?sa
User-Agent: HTTPie/0.3.0

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Content-Type: text/html
Date: Sun, 25 Nov 2012 18:32:56 GMT
Location: http://unokesyh.dumb1.com/
Server: Apache
X-Powered-By: PHP/5.2.17


Searching for "joomla redirect dumb1.com" gives this result: http://blog.aw-snap.info/2011/01/redirect-to-malicious-site.html which suggests there will be some obfuscated php doing the bad stuff. Search over the code for 'eval'
posted by gregjones at 10:40 AM on November 25, 2012 [2 favorites]


Hmm. Fine for me.
posted by zug at 10:41 AM on November 25, 2012


Yah, gregjones has it. You're right, this is happening.

People can inject this kind of malware into CMS's like Joomla and Wordpress. I have NO IDEA how we fixed it when something like this happened to us, but I remember it being ugly. (The first steps, though, usually being to update the CMS.)
posted by RJ Reynolds at 10:42 AM on November 25, 2012


I'm getting the same result as run"monty, when I go via the Google search link.

I'm guessing it's Google's own redirect script messing up. I really wish Google would stop adding all of that tracking crap to URLs.
posted by Thorzdad at 10:42 AM on November 25, 2012


I've seen hackers who own a whole box do stuff like this to the Apache instance on the machine. It sounds like that's easy to test in your case. Move an entire site folder aside for a moment, create a new folder there, and drop in a "Hello World" index.php. Hit the site from the Google link a few times. If it ever redirects, then the webserver is hacked. If it doesn't, your site is hacked.
posted by Monsieur Caution at 10:44 AM on November 25, 2012


I get redirected to the 4pu place too. You might find http://productforums.google.com/forum/#!topic/webmasters/dCy1ctI_ZCM helpful
posted by Hartham's Hugging Robots at 12:29 PM on November 25, 2012


I've seen this exact thing happen to a Drupal site. The hacker was somehow able to edit the .htaccess file in the webroot to direct users that are coming from google to a different site. I removed the offending lines there, updated the CMS, and contacted the hosting service.
posted by scottatdrake at 1:36 PM on November 25, 2012


« Older Looking for a good indoor outdoor thermometer.   |   What to bite next? Newer »
This thread is closed to new comments.