Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Users / Clients getting redirected when attempting to access out website.

Posted on 2015-01-21
7
228 Views
Last Modified: 2015-01-21
When someone does a Google search for our company, and tries to access our website, the user is redirected to a Adware/Malware site. I've check my DNS records (both internal and domain host) to make sure they were not compromised. If you simply enter the address into any web browser, the web site appears with no issues, it only happens when you do a Google search. I also test the search using Bing, but I'm not redirected to a random site. Any thoughts where I can look next? My website does not reside on my network, but hosted by a vendor. Thank you for your time.
0
Comment
Question by:Domenic DiPasquale
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40562138
Sadly, you need to give use the google search, the returning results, and the real website's url, so we have more details to investigate.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562180
http://www.csquaredsystems.com
Google Search: c squared systems
Search resultNote: If I disable TM, it will redirect you to a downloading site, prompting me to update my flash player (which is obviously malware).
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 500 total points
ID: 40562202
Fact: www.csquaredsystems.com is your server
Fact: www.csquaredsystems.com resolves to  69.63.155.109
Fact: this conversation was captured talking to said IP address:

GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.2) Presto/2.12.388 Version/12.17
Host: www.csquaredsystems.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://www.google.nl/url?url=http://www.csquaredsystems.com/&rct=j&q=&esrc=s&sa=U&ei=oc6_VM2NBIeCPa76gdgE&ved=0CBcQFjAA&sig2=rJazkRDq4EL-1BG0fxWS_w&usg=AFQjCNEUUiJnOedT6Lqf6f_-TMWc0-o7KA
Cookie: PHPSESSID=ut33rts52pi8cp81vdqg38jks3; devicePixelRatio=1; _gat=1; _ga=GA1.2.452909716.1421856593
Cache-Control: no-cache
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: http://82.118.18.238/?80&source=csquaredsystems.com
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.0
X-Powered-By: ASP.NET
Date: Wed, 21 Jan 2015 16:13:39 GMT
Content-Length: 178

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://82.118.18.238/?80&source=csquaredsystems.com">here</a></body>

Hence, you should check out your own server. Interestingly, it doesn't happen when you browse to your website by yourself, so this only happens when surfing from google. Probably the writer of this malware had some strategy for this (because now outside website vulnerability scanners won't find it, as they're scanning your website directly, not through google)

Side note: Abuse email sent to that redirect IP (origin .UA). Hopefully they will take down this server. But still you are mainly responsible for this problem.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Domenic DiPasquale
ID: 40562217
Our website is hosted by someone else, so I'm assuming the issue is on there end?
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562219
Also, what utility did you use to get this result?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40562221
Of course, I thought you were in charge. The person in charge of the website is responsible, yes.

I used Wireshark, luckily it wasn't encrypted though, otherwise I might still be searching for the problem. Just copy and forward what I posted to the webserver admin or webmaster.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562262
Thank you for your help, I've forwarded the information to the web server admin.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question