Solved

Users / Clients getting redirected when attempting to access out website.

Posted on 2015-01-21
7
235 Views
Last Modified: 2015-01-21
When someone does a Google search for our company, and tries to access our website, the user is redirected to a Adware/Malware site. I've check my DNS records (both internal and domain host) to make sure they were not compromised. If you simply enter the address into any web browser, the web site appears with no issues, it only happens when you do a Google search. I also test the search using Bing, but I'm not redirected to a random site. Any thoughts where I can look next? My website does not reside on my network, but hosted by a vendor. Thank you for your time.
0
Comment
Question by:Domenic DiPasquale
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40562138
Sadly, you need to give use the google search, the returning results, and the real website's url, so we have more details to investigate.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562180
http://www.csquaredsystems.com
Google Search: c squared systems
Search resultNote: If I disable TM, it will redirect you to a downloading site, prompting me to update my flash player (which is obviously malware).
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 500 total points
ID: 40562202
Fact: www.csquaredsystems.com is your server
Fact: www.csquaredsystems.com resolves to  69.63.155.109
Fact: this conversation was captured talking to said IP address:

GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.2) Presto/2.12.388 Version/12.17
Host: www.csquaredsystems.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://www.google.nl/url?url=http://www.csquaredsystems.com/&rct=j&q=&esrc=s&sa=U&ei=oc6_VM2NBIeCPa76gdgE&ved=0CBcQFjAA&sig2=rJazkRDq4EL-1BG0fxWS_w&usg=AFQjCNEUUiJnOedT6Lqf6f_-TMWc0-o7KA
Cookie: PHPSESSID=ut33rts52pi8cp81vdqg38jks3; devicePixelRatio=1; _gat=1; _ga=GA1.2.452909716.1421856593
Cache-Control: no-cache
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: http://82.118.18.238/?80&source=csquaredsystems.com
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.0
X-Powered-By: ASP.NET
Date: Wed, 21 Jan 2015 16:13:39 GMT
Content-Length: 178

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://82.118.18.238/?80&source=csquaredsystems.com">here</a></body>

Hence, you should check out your own server. Interestingly, it doesn't happen when you browse to your website by yourself, so this only happens when surfing from google. Probably the writer of this malware had some strategy for this (because now outside website vulnerability scanners won't find it, as they're scanning your website directly, not through google)

Side note: Abuse email sent to that redirect IP (origin .UA). Hopefully they will take down this server. But still you are mainly responsible for this problem.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Domenic DiPasquale
ID: 40562217
Our website is hosted by someone else, so I'm assuming the issue is on there end?
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562219
Also, what utility did you use to get this result?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40562221
Of course, I thought you were in charge. The person in charge of the website is responsible, yes.

I used Wireshark, luckily it wasn't encrypted though, otherwise I might still be searching for the problem. Just copy and forward what I posted to the webserver admin or webmaster.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562262
Thank you for your help, I've forwarded the information to the web server admin.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question