16

My website is altoonadesign.com if you type it directly in your browser it takes you to the correct site. However if you do a search for "altoona design" and click on the link to my site you get redirected to a malicious site.

I tried this in google on chrome and in bing on IE. on different computers always with the same results. typing in the url directly takes you to my real site, clicking the link in the search results redirects you to the malicious site.

I am not sure how this is happening, how to undo it, or how to prevent it in the future?

update

clicking the link from here takes you to the malicious site too, so it seems clicking a link is what does it, but typing it in directly doesn't redirect you... how is that?

Community
  • 1
JD Isaacks
  • 855
  • 5
  • 14
  • 24

3 Answers3

20

I've not actually followed your link (no desire to meet a zero-day exploit), but what often happens when a server has been hacked is that code is put into any PHP files to check the referrer header and redirect either if the visit is from a search engine or if it's from anywhere not the current site.

This is done to try to prevent the owner of the site from realising the hack is in place, as you will probably usually visit the site directly rather than finding it through a search engine.

Andrew Aylett
  • 599
  • 3
  • 14
  • 4
    +1 for explaining the "why". Pretty smart. –  Jun 24 '10 at 13:36
  • Thank you, can recommend how I track it down and fix it. should I just start going through all the files on my site? Thanks! – JD Isaacks Jun 24 '10 at 13:37
  • If you have a recent backup (or source control), use it :). Otherwise, start looking at recently modified files, files modified by the webserver user or files containing "referrer". Chances are the code will be at least lightly obfuscated though, so the search may well not work. Next, look for the entry point -- you don't want to leave it open :). I assume you're using PHP, and an unchecked include is most likely. – Andrew Aylett Jun 24 '10 at 13:42
13

When viewing the source of your page, there's some code at the bottom that doesn't look like you put there:

<div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/passware-myob-key-crack.html'>Passware MYOB Key crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/newstarsoccer-crack.html'>NewStarSoccer crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/pcsentinels-busted-crack.html'>PCSentinels Busted crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/3dmark2001-crack.html'>3DMark2001 crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/acdsee50powerpack-crack.html'>ACDSee50PowerPack crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://keygen-0day.ws/database/My%20TypeArtist%201.000B/'>My TypeArtist 1.000B</a></div></body> 
<!-- InstanceEnd --></html> 
<script>check_content()</script>check_content()</script>

When using fiddler, and accessing your site thru google, i can see that it does go to your domain 1st, and then gets redirected before your whole page loads.

Check your php code, they probably put in some redirect code in your page.

Ed B
  • 246
  • 1
  • 4
4

First and foremost this is a programming question, i have absolutely no idea whats this is doing on Serverfault.

There is a vulnerability in your php web application and you need to find it and patch it. First I would go though and make sure that all of your PHP libraries are up to date. A vulnerability in phpmailer or smarty can let a hacker break into your site.

Next i would scan your site with somthing like Acunetix($) or NTOSpider($$$). A good open source alternative is wapiti and w3af. These scanners can find vulnerabilities such as misuses of eval() which can lead to this type of attack.

Next you should lock down php using phpsecinfo, make sure display_errors=off. If you have a MySQL backend make sure to disable file_priv (file privileges) for the MySQL account used by PHP.

Here are some good resources for writing secure PHP code:

http://phpsec.org/library/

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Also avoid FTP like the plague, there are multiple worms spreading right now by sniffing your local machine for FTP logins and then infect your site. Also make sure you are running an anti-virus on all machines with access to the server, even if its just a free one like AVG.

Rook
  • 2,615
  • 5
  • 26
  • 34
  • Rook, The initial flaw is almost certainly a programming problem. But if the server was setup and the security had been hardened properly, the software flaw would may not have been exploitable. I am also curious how you could be 100% sure the flaw is in software he developed and not in some configuration of the OS or something other tool. If backups where running properly then 'fixing' the problem could easily be accomplished by a quick restore. – Zoredache Jun 25 '10 at 04:55
  • @Zoredache your right that the problem could be an issue with configuration or a vulnerability in another service. However many exploits work regardless of configuration or security settings, such as sql injection. Even with AppArmor and SELinux a system can still be exploited easily. – Rook Jun 28 '10 at 11:10