Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Users / Clients getting redirected when attempting to access out website.

Posted on 2015-01-21
7
Medium Priority
?
284 Views
Last Modified: 2015-01-21
When someone does a Google search for our company, and tries to access our website, the user is redirected to a Adware/Malware site. I've check my DNS records (both internal and domain host) to make sure they were not compromised. If you simply enter the address into any web browser, the web site appears with no issues, it only happens when you do a Google search. I also test the search using Bing, but I'm not redirected to a random site. Any thoughts where I can look next? My website does not reside on my network, but hosted by a vendor. Thank you for your time.
0
Comment
Question by:Domenic DiPasquale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 36

Expert Comment

by:Kimputer
ID: 40562138
Sadly, you need to give use the google search, the returning results, and the real website's url, so we have more details to investigate.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562180
http://www.csquaredsystems.com
Google Search: c squared systems
Search resultNote: If I disable TM, it will redirect you to a downloading site, prompting me to update my flash player (which is obviously malware).
0
 
LVL 36

Accepted Solution

by:
Kimputer earned 2000 total points
ID: 40562202
Fact: www.csquaredsystems.com is your server
Fact: www.csquaredsystems.com resolves to  69.63.155.109
Fact: this conversation was captured talking to said IP address:

GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.2) Presto/2.12.388 Version/12.17
Host: www.csquaredsystems.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://www.google.nl/url?url=http://www.csquaredsystems.com/&rct=j&q=&esrc=s&sa=U&ei=oc6_VM2NBIeCPa76gdgE&ved=0CBcQFjAA&sig2=rJazkRDq4EL-1BG0fxWS_w&usg=AFQjCNEUUiJnOedT6Lqf6f_-TMWc0-o7KA
Cookie: PHPSESSID=ut33rts52pi8cp81vdqg38jks3; devicePixelRatio=1; _gat=1; _ga=GA1.2.452909716.1421856593
Cache-Control: no-cache
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: http://82.118.18.238/?80&source=csquaredsystems.com
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.0
X-Powered-By: ASP.NET
Date: Wed, 21 Jan 2015 16:13:39 GMT
Content-Length: 178

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://82.118.18.238/?80&source=csquaredsystems.com">here</a></body>

Hence, you should check out your own server. Interestingly, it doesn't happen when you browse to your website by yourself, so this only happens when surfing from google. Probably the writer of this malware had some strategy for this (because now outside website vulnerability scanners won't find it, as they're scanning your website directly, not through google)

Side note: Abuse email sent to that redirect IP (origin .UA). Hopefully they will take down this server. But still you are mainly responsible for this problem.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:Domenic DiPasquale
ID: 40562217
Our website is hosted by someone else, so I'm assuming the issue is on there end?
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562219
Also, what utility did you use to get this result?
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 40562221
Of course, I thought you were in charge. The person in charge of the website is responsible, yes.

I used Wireshark, luckily it wasn't encrypted though, otherwise I might still be searching for the problem. Just copy and forward what I posted to the webserver admin or webmaster.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562262
Thank you for your help, I've forwarded the information to the web server admin.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question