PDA

View Full Version : Google re-directing domain somewhere else.



Wozcreative
10-10-2012, 11:20 AM
This is the first time I have come across this issue where when I type in the name of my client's business in the google search bar, the top one is his domain address.. when I click it, it will re-direct me to some weird link: http://smooth.ygto.com/ which later turns into a 404 page with some ads.

When I just use the URL itself in the browser.. it would go directly to the website no problem. I contacted the hosting company and the slow guy at the end told me it's something with google, to contact google and report an issue.. but one report online says it may be a hacking issue that the hosting company should be able to remove. The website is built on a wordpress framework, so I am not sure if a plugin is doing this hack either (I had come accross some info that this may happen as well..?).. so nothing concrete yet on what the issue may be.

Any experiences with this? Figure I may ask first and then try to get ahold of google. :rolleyes:

Harold Mansfield
10-10-2012, 12:12 PM
Yes. It is likely a hacking issue. I've had it happen to clients a few times and generally it's something that has been installed on their server that redirects to another site. Best to get rid of it quickly, before Google designates it a malicious URL which my browser and anti virus already has.

Check the installation for more rogue files and change all of your passwords including FTP accounts.

Wozcreative
10-10-2012, 12:14 PM
Harold, thanks for the input, not too sure what/how to cheque rogue files, but is this something that a hosting company should be able to do in your experience?

Harold Mansfield
10-10-2012, 12:18 PM
Harold, thanks for the input, not too sure what/how to cheque rogue files, but is this something that a hosting company should be able to do in your experience?
Maybe depending on the hosting company. But generally you can do it yourself if you are comfortable accessing the website files via FTP.
If you've built the site, you may immediately notice a strange file or folder on the root of the domain. If they've gained complete access they may try and hide code in the header and index files too.

Generally a hosting company like Go Daddy will tell you to take care of it and may even dactivate access to the site until you do. Sometimes they will tell you where to look.

Is this an HTML site? WordPress? What's it built on?

Harold Mansfield
10-10-2012, 12:25 PM
Sorry, I see that you said it was on WordPress.

First check to make sure the client hasn't installed anything new or allowed anyone access to the website.

Wozcreative
10-10-2012, 12:49 PM
So I did some poking around and it is a virus that somehow got FTP info that was saved on a FTP client on a Windows system (im on mac), so perhaps my client or other developer, sent it to russia, and then they used that to hack the domain and send it to malware site. I am very surprised the hosting company had no idea what I was talking about. Anyway it was called the Eval base64_decode virus.

Thanks Harold, helped a lot to decipher what was the issue, i also saw the time-stamps were for today's date and that was a big clue.

I will be working on it to remove it. Client ended up choosing their own hosting (always a nightmare), and this is what I have to deal with when trying to solve server issues.

Harold Mansfield
10-10-2012, 12:52 PM
Sounds familiar. I've actually seen it so many times before that I named my wireless network after it to discourage people from trying to access it.
It's also really prevalent in free WordPress theme downloads. See here (they also offer a few possible fixes and places to look for it):
http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

Glad you got a handle on it.

billbenson
10-10-2012, 02:55 PM
Is there any software out there that will compare the site with a known good copy? This seems to be happening a lot lately and on a big site, it could be hard to identify the malicious file?

Wozcreative
10-10-2012, 03:24 PM
Is there any software out there that will compare the site with a known good copy?

I was wondering the same thing. Have not come accross something like that but I'm sure it's available.

Harold Mansfield
10-10-2012, 03:59 PM
For WordPress there is an Exploit Scanner plug in that you can use to scan the files on your website, plug ins and some database tables for unusual file names:
WordPress › Exploit Scanner « WordPress Plugins (http://wordpress.org/extend/plugins/exploit-scanner/)

Also, here's a list of free online tools.
How to check Websites for Malware - Website security tools | Malware Help. Org (http://www.malwarehelp.org/freeware-open-source-commercial-website-security-tools-services-downloads.html)

You can also just download the files and scan the folder with your local anti virus, spyware or malware software.

bostonou
10-10-2012, 06:14 PM
Is there any software out there that will compare the site with a known good copy? This seems to be happening a lot lately and on a big site, it could be hard to identify the malicious file?

Software developers use a tool called version control to track changes to files. The most used is called "git". A couple others are mercurial and svn. If your version control is managing a directory of files, it will tell you what changes have been made to a file and what files have been created/deleted. It does much more than that, but the basics are plenty for most users. There are lots of tutorials if you google "git". Git, mercurial, and svn are all free. You'll want to be comfortable working from the command line, but there are GUIs available though I've never used them.

billbenson
10-10-2012, 06:16 PM
Realistically, just delete the site and upload a recent backup (not touching the db). Someone must have written a comparison script though i. e. download the site to a directory and compare one directory to another. You might need php running on your pc to do that though.

ozetel
10-10-2012, 10:43 PM
Thanks for the info - we had the same type of hopeless advice from a hosting company and checking into the Eval base64_decode virus we found the issue as well.

This is driving us nuts as it is happening a bit now.

Is WP an issue with this type of hacking Harold or was it generally at the hosting server level?

I guess I felt WP was a "safe" platform, safer then normal.

Anyway I guess these annoyances are going to keep testing us. Thanks tho

MyITGuy
10-10-2012, 10:50 PM
Harold, thanks for the input, not too sure what/how to cheque rogue files, but is this something that a hosting company should be able to do in your experience?

Some companies may offer this service...sometimes for free (To protect their server and other clients), others will charge for this service.

Other companies, either larger ones with multiple tiers of support or smaller companies that do everything themselves but are lacking in the admin/security knowledge will try to pass the buck.

MyITGuy
10-10-2012, 10:54 PM
Is there any software out there that will compare the site with a known good copy? This seems to be happening a lot lately and on a big site, it could be hard to identify the malicious file?

The last time I came across this issue, there were some WP plugins that had this functionality included. If this is something thats needed let me know and I'll see if I can dig it up again.

MyITGuy
10-10-2012, 10:57 PM
Is WP an issue with this type of hacking Harold or was it generally at the hosting server level?

I guess I felt WP was a "safe" platform, safer then normal.


Its a WordPress issue, and it is a safe platform as long as the installation is kept up to date and the developer takes the appropriate steps to secure/harden the installation...but unfortunately we run into the same issue as hosting companies where they don't understand or are lacking the experience to do this.

MyITGuy
10-10-2012, 11:04 PM
Realistically, just delete the site and upload a recent backup (not touching the db). Someone must have written a comparison script though i. e. download the site to a directory and compare one directory to another. You might need php running on your pc to do that though.

A quick search turned up this page: The Best Web Page Monitoring Tools for Change Detection (http://www.labnol.org/software/web-page-change-detection/20058/)

Myself, I have an Automate task that did this for a vendor I used who kept getting attacked...although it was based on the public page and not any internal PHP files. It's a pretty basic process and with your scripting knowledge you should be able to come up with something:

In a string or Array, load up all the pages you want to check/compare (Usually just the Front/Home page will be sufficient for word press)
Loop through the string (Using a new line as delimeter) or array, downloading each page to a path (I.E. C:\Compare\valueinstring)
Compare the filesize of C:\Compare\valueinstring to c:\Compare\Archive\valueinstring
If the file size is different, send an e-mail alert
When the task stops, move all files from c:\compare to c:\compare\archive

Brian Altenhofel
10-10-2012, 11:49 PM
So I did some poking around and it is a virus that somehow got FTP info that was saved on a FTP client on a Windows system (im on mac), so perhaps my client or other developer, sent it to russia, and then they used that to hack the domain and send it to malware site. I am very surprised the hosting company had no idea what I was talking about.

It doesn't matter what client it was on - if you're connecting via FTP, you're sending the credentials across the wire in plain text. Anyone between you and the server can read it, even that guy sitting in the corner of Starbucks with his WiFi card in promiscuous mode.

This kind of situation is also why I don't use shared hosts. Seen too many successful privilege escalation attacks through PHP. On a shared host, there's probably 1,000 or more sites sharing your server - if one gets exploited they can a exploit everyone else on the server.


Is there any software out there that will compare the site with a known good copy? This seems to be happening a lot lately and on a big site, it could be hard to identify the malicious file?

That's one reason I keep code in version control. The server doesn't have commit access to the repository, and even if there was a server-side attack (likely through PHP) it would be resolved automatically within a couple of hours or resolved manually with a single click of a button.

I personally subscribe the the idea that if code and configuration is not in version control, the developer is doing it wrong.

MyITGuy
10-11-2012, 12:04 AM
This kind of situation is also why I don't use shared hosts. Seen too many successful privilege escalation attacks through PHP. On a shared host, there's probably 1,000 or more sites sharing your server - if one gets exploited they can a exploit everyone else on the server.


Depends on how the server is configured...there are measures that hosting companies can implement to eliminate/mitigate these types of attacks.

Brian Altenhofel
10-11-2012, 12:16 AM
Depends on how the server is configured...there are measures that hosting companies can implement to eliminate/mitigate these types of attacks.

True, but most don't bother.

Many of the ones that do end up opening the holes in the name of "customer service".

You'd think by now most of them would figure out how to use cgroups. Then again, sysadmins and technicians who understand how to properly implement cgroups come with a hefty price tag - hefty enough that they could no longer maintain their falsely advertised "unlimited everything for $10/mo". (I personally take the approach of "oh, the server broke - rebuild it and if it breaks again then troubleshoot it" since it only takes ~6 minutes to replace a server without my involvement).

Harold Mansfield
10-11-2012, 01:23 AM
Is WP an issue with this type of hacking Harold or was it generally at the hosting server level?


If WordPress is updated as well as your plug ins and you run at least basic security measures ( secure passwords, not leaving the default "admin" password) it's as safe as anything else.

But as was already mentioned, shared hosting can be risky, especially cheap hosting. Cheap hosting is usually used by cheap webmasters who run all free themes and tools. Some hosts are worse than others. Go Daddy, for instance, attracts noob WordPress users so if you are on a shared server with a bunch of noobs using all free themes, sooner or later you are going to get infected.

WordPress is also the easiest platform to infect yourself without having to know a line a code. One poorly updated plug in, combined with an insecure log in, and you are an easy target. And then there are the occasions where a previously vetted plug in, like Tim Thumb, opens a massive exploit leaving thousands of website owners vulnerable because they are using themes that depend on it.

There's a 100 different ways to get infected. Nothing is completely safe, but with WordPress being so easy to use and install files on the server, you really have to be careful with what you are using on your site and what kind of clientele you are hosting along side of.

Business Attorney
10-11-2012, 01:44 AM
A year or two ago I found a link to a reputable Australian web development firm that was redirected to a virus site. My antivirus kept me from the infected site but I was curious how a link to a reputable company could redirect me to a virus site. I looked back and it was pretty easy to see what happened. They were using Wordpress and had downloaded some free themes. One of them had a file that simply redirected traffic. They were not even using that theme but anyone who knows even a little about Wordpress knows the exact path to the themes and their files. I'm sure it was a simple matter for the person with the virus site to search for copies of the file on the web and then spread links around that went directly to the file.

After finding that, I immediately deleted all unused themes from my server. There is really no point to having an usused theme sitting in the themes folder since it is so simple to upload it when you need it.

vangogh
10-11-2012, 03:10 AM
Sorry I missed this thread when you started it. Sadly I've had plenty of experience with these kind of things. I've cleaned out this or a similar virus from about a half dozen sites. They've all been WordPress sites. With one client the issue was a plugin. There was an old version of Tim Thumb (it adds image functionality) that had a whole and a lot of plugins were using the Tim Thumb code. The more popular plugins updates so after cleaning out the attack updating the plugin usually prevented further attacks.

With the FTP think you have to change every password or it'll just get back in.

If I'm remembering correctly you'll find the eval code at either the top or bottom of most files. I think it only attacked php files. It also creates image.php files in a variety of places and those need to be deleted. Since it's a WordPress site the quickest way to clean things out is to make a backup of your wp-contents folder. Then get rid of all the files and reinstall WordPress. You can use the same database. With plugins just reinstall them all too. That leaves you with the theme files and the upgrade and media folders. With those folders you probably only need to look for image.php files (maybe some index.php files too). You can delete the image.php files. The index.php files might need to be cleaned or might need to be deleted.

Then go through your theme files. I just opened them and looked for the malicious code and removed it. There shouldn't be too many theme files so it won't take long.

The worst part though is if you miss even a single file or line of code, the whole thing will come back in a few days and you'll have to start over again. That happened to me the first time or two I cleaned out sites that had been infected.

If you need help let me know. I wish I didn't, but I have plenty of experience with this kind of thing.

Harold Mansfield
10-11-2012, 10:16 AM
...After finding that, I immediately deleted all unused themes from my server. There is really no point to having an usused theme sitting in the themes folder since it is so simple to upload it when you need it.

That's a very good practice and I recommend it to everyone that runs WordPress. A lot of people keep tons of unused themes and plug ins installed and it's really a bad practice, and can also slow down your site.

billbenson
10-11-2012, 05:29 PM
It doesn't matter what client it was on - if you're connecting via FTP, you're sending the credentials across the wire in plain text. Anyone between you and the server can read it, even that guy sitting in the corner of Starbucks with his WiFi card in promiscuous mode.

This kind of situation is also why I don't use shared hosts. Seen too many successful privilege escalation attacks through PHP. On a shared host, there's probably 1,000 or more sites sharing your server - if one gets exploited they can a exploit everyone else on the server.



That's one reason I keep code in version control. The server doesn't have commit access to the repository, and even if there was a server-side attack (likely through PHP) it would be resolved automatically within a couple of hours or resolved manually with a single click of a button.

I personally subscribe the the idea that if code and configuration is not in version control, the developer is doing it wrong.

There has to be a script out there Jeff, although I haven't looked. For new files, just SELECT all the file names and stick them in a table and do a compare. For altered files monitor the date altered?

Brian Altenhofel
10-11-2012, 07:15 PM
There has to be a script out there Jeff, although I haven't looked. For new files, just SELECT all the file names and stick them in a table and do a compare. For altered files monitor the date altered?

If you're wanting to compare files, you want to do and MD5 (or preferably, a SHA1) checksum. MD5 is more efficient, but is significantly more prone to collisions, meaning that a file could have its content changed and still get the same hash (although rare).

Timestamps are easily altered. Before a script overwrites a file, it just has to get the timestamp using 'stat' (or similar). After overwriting the file, the script just uses 'touch' to set the timestamp back to the original time. Therefore, the only reasonably reliable way to monitor changes to files is through checking hashes.