Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need help with a hacked website

Posted on 2012-04-03
5
Medium Priority
?
303 Views
Last Modified: 2012-06-09
Our site, lasiksurgerynews.com, is experiencing a very strange hack that I have been unable to locate and I would appreciate your suggestions.

Here is what is happening:
http://www.lasiksurgerynews.com works just fine and is not hacked but the secure version of the site - https://lasiksurgerynews.com - IS hacked and is a completely different site from what you see on the non-SSL version.  As a matter of fact it is a Joomla-based site called "My Photo Battle" and we have never used Joomla for any of our sites.

The other bit of information that may or may not help is that we have a primary and a backup server in place for this site.  Currently we are running on the backup server (IP 174.121.37.5) but the malicious site showed up in Google a few months ago while we were running on our primary server - located at a different hosting company, location, IP address, server, etc.

First of all, we do not have an SSL certificate for the site.  Second, the hacked site appears to come from the same server, both on IP 174.121.37.5.  It also appeared to come from the same IP as the primary server when the site was running on it.

Because the malicious site seems to be independent of where the site is hosted, I do not think it is a server hack.  I have scanned all of the files in the site, which is a simple PHP-based site (even though most file extensions are .shtml).  Just some PHP includes and then lots of static html content on every page.  Nothing terribly complicated or database-driven.

I have checked htaccess files, scanned all of the files for base64 hacks, looked for meta redirects, and run through online scanners.  Nothing comes up.  If anyone has any suggestions I will be extremely grateful.

The only other thing I can think of is an SSL hack?  I don't even think it's possible, but one thing I did try is to rewrite https to http in the root htaccess file but the rule is ignored since the malicious site is not running from our web root.

Thanks for your assistance.
0
Comment
Question by:Ryan Herndon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 8

Expert Comment

by:Ben McNelly
ID: 37803435
I haven't dug into this at all yet, but right off the bat this looks like it could be DNS related. Who is your registrar, who is your host and how do you have your DNS set up?

edit: Looks like it may be hosted by the planet, which is now owned by softlayer...
Domain Name: LASIKSURGERYNEWS.COM
   Registrar: DIRECTNIC, LTD
   Whois Server: whois.directnic.com
   Referral URL: http://www.directnic.com
   Name Server: NS10.DNSMADEEASY.COM
   Name Server: NS11.DNSMADEEASY.COM
   Name Server: NS12.DNSMADEEASY.COM
   Name Server: NS13.DNSMADEEASY.COM
   Name Server: NS14.DNSMADEEASY.COM
   Name Server: NS15.DNSMADEEASY.COM

Open in new window

0
 

Author Comment

by:Ryan Herndon
ID: 37803488
Our DNS is hosted at DNS Made Easy, which gives us the ability to automatically change records when servers go down (hence the use of a primary and backup server).

I was just thinking it is something to do with DNS and am checking with DNS Made Easy now.

Thanks for the tip.
0
 

Accepted Solution

by:
Ryan Herndon earned 0 total points
ID: 37804084
It ended up being a misconfiguration on our backup server.  For some reason the SSL site for myphotobattle.com was directing to our domain.

It no longer loads but the damage has been done in Google's index.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 37810403
The Google index can be helped a little bit if you make a Google Site Map and submit it to Google.  

Even better?  Get yourself an SSL certificate and put up the HTTPS version of the site you want Google to find.  Make a 404 handler that redirects with "Moved Permanently" to the home page of the non-SSL site.  Let each of your pages in the SSL site redirect to the same REQUEST_URI on the non-SSL site.  Things will get fixed up in about a month.
0
 

Author Closing Comment

by:Ryan Herndon
ID: 38065241
Found the issue myself
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question