2

So I was recently show by a friend something that is happening to a real estate website. It seems that when their website is accessed from a regular URL request in browser it is fine however when requested from the google search engines its redirected to a different website. One for selling Viagra (Obviously the hack/joke). I tried researching on how this was accomplished but am a little held up. I tracked the requests that I was receiving from google but everything seems to point and look as if they should just output the website that was requested. I'm wondering if this is server side or if I am missing something.

Website Url - http://www.jandjip.com

Google Url redirect - https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwiDoMqQnKHhAhXlmeAKHWpKD-IQFjAAegQICBAD&url=http%3A%2F%2Fjandjip.com%2F&usg=AOvVaw1UmccVjg4yMCM39WRDmiuZ

I understand that google uses their redirects to track data but is there some way someone could have tricked or poisoned the google search result to do this?

Echo
  • 23
  • 2

1 Answers1

4

This is no bug in Google but a deliberate attempt of the web site to misuse Google for spamming the user. If you request the URL https://www.google.com/url?... Google will redirect to the site and this is visible in the request send by the browser:

GET / HTTP/1.1
Host: jandjip.com
...
Referer: https://www.google.com/
...

Some server-side code will then analyze this Referer and reply to redirect the user to a different URL (original response slightly edited for better readability):

<html><head><meta http-equiv="refresh" 
   content="0; url=https://alltabsstoretext.com/search.html?key=viagra&t=ed1_conc"
></head></html>

If you instead access the site directly the Referer will not point to Google and thus the redirect will not happen.

It is not fully clear if this is a deliberate attempt of the site itself or if the site was hacked. But given that this seem to be some investment property site created with WordPress and that WordPress is a common target of successful attacks it is likely that the site is hacked. In fact, this is what sucuri suggests.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424