Users / Clients getting redirected when attempting to access out website.

When someone does a Google search for our company, and tries to access our website, the user is redirected to a Adware/Malware site. I've check my DNS records (both internal and domain host) to make sure they were not compromised. If you simply enter the address into any web browser, the web site appears with no issues, it only happens when you do a Google search. I also test the search using Bing, but I'm not redirected to a random site. Any thoughts where I can look next? My website does not reside on my network, but hosted by a vendor. Thank you for your time.
Domenic DiPasqualeSystem / Network AdministratorAsked:
Who is Participating?
 
KimputerCommented:
Fact: www.csquaredsystems.com is your server
Fact: www.csquaredsystems.com resolves to  69.63.155.109
Fact: this conversation was captured talking to said IP address:

GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.2) Presto/2.12.388 Version/12.17
Host: www.csquaredsystems.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://www.google.nl/url?url=http://www.csquaredsystems.com/&rct=j&q=&esrc=s&sa=U&ei=oc6_VM2NBIeCPa76gdgE&ved=0CBcQFjAA&sig2=rJazkRDq4EL-1BG0fxWS_w&usg=AFQjCNEUUiJnOedT6Lqf6f_-TMWc0-o7KA
Cookie: PHPSESSID=ut33rts52pi8cp81vdqg38jks3; devicePixelRatio=1; _gat=1; _ga=GA1.2.452909716.1421856593
Cache-Control: no-cache
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: http://82.118.18.238/?80&source=csquaredsystems.com
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.0
X-Powered-By: ASP.NET
Date: Wed, 21 Jan 2015 16:13:39 GMT
Content-Length: 178

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://82.118.18.238/?80&source=csquaredsystems.com">here</a></body>

Hence, you should check out your own server. Interestingly, it doesn't happen when you browse to your website by yourself, so this only happens when surfing from google. Probably the writer of this malware had some strategy for this (because now outside website vulnerability scanners won't find it, as they're scanning your website directly, not through google)

Side note: Abuse email sent to that redirect IP (origin .UA). Hopefully they will take down this server. But still you are mainly responsible for this problem.
0
 
KimputerCommented:
Sadly, you need to give use the google search, the returning results, and the real website's url, so we have more details to investigate.
0
 
Domenic DiPasqualeSystem / Network AdministratorAuthor Commented:
http://www.csquaredsystems.com
Google Search: c squared systems
Search resultNote: If I disable TM, it will redirect you to a downloading site, prompting me to update my flash player (which is obviously malware).
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
Domenic DiPasqualeSystem / Network AdministratorAuthor Commented:
Our website is hosted by someone else, so I'm assuming the issue is on there end?
0
 
Domenic DiPasqualeSystem / Network AdministratorAuthor Commented:
Also, what utility did you use to get this result?
0
 
KimputerCommented:
Of course, I thought you were in charge. The person in charge of the website is responsible, yes.

I used Wireshark, luckily it wasn't encrypted though, otherwise I might still be searching for the problem. Just copy and forward what I posted to the webserver admin or webmaster.
0
 
Domenic DiPasqualeSystem / Network AdministratorAuthor Commented:
Thank you for your help, I've forwarded the information to the web server admin.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.