Solved

Users / Clients getting redirected when attempting to access out website.

Posted on 2015-01-21
7
219 Views
Last Modified: 2015-01-21
When someone does a Google search for our company, and tries to access our website, the user is redirected to a Adware/Malware site. I've check my DNS records (both internal and domain host) to make sure they were not compromised. If you simply enter the address into any web browser, the web site appears with no issues, it only happens when you do a Google search. I also test the search using Bing, but I'm not redirected to a random site. Any thoughts where I can look next? My website does not reside on my network, but hosted by a vendor. Thank you for your time.
0
Comment
Question by:Domenic DiPasquale
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40562138
Sadly, you need to give use the google search, the returning results, and the real website's url, so we have more details to investigate.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562180
http://www.csquaredsystems.com
Google Search: c squared systems
Search resultNote: If I disable TM, it will redirect you to a downloading site, prompting me to update my flash player (which is obviously malware).
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 500 total points
ID: 40562202
Fact: www.csquaredsystems.com is your server
Fact: www.csquaredsystems.com resolves to  69.63.155.109
Fact: this conversation was captured talking to said IP address:

GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.2) Presto/2.12.388 Version/12.17
Host: www.csquaredsystems.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://www.google.nl/url?url=http://www.csquaredsystems.com/&rct=j&q=&esrc=s&sa=U&ei=oc6_VM2NBIeCPa76gdgE&ved=0CBcQFjAA&sig2=rJazkRDq4EL-1BG0fxWS_w&usg=AFQjCNEUUiJnOedT6Lqf6f_-TMWc0-o7KA
Cookie: PHPSESSID=ut33rts52pi8cp81vdqg38jks3; devicePixelRatio=1; _gat=1; _ga=GA1.2.452909716.1421856593
Cache-Control: no-cache
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: http://82.118.18.238/?80&source=csquaredsystems.com
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.0
X-Powered-By: ASP.NET
Date: Wed, 21 Jan 2015 16:13:39 GMT
Content-Length: 178

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://82.118.18.238/?80&source=csquaredsystems.com">here</a></body>

Hence, you should check out your own server. Interestingly, it doesn't happen when you browse to your website by yourself, so this only happens when surfing from google. Probably the writer of this malware had some strategy for this (because now outside website vulnerability scanners won't find it, as they're scanning your website directly, not through google)

Side note: Abuse email sent to that redirect IP (origin .UA). Hopefully they will take down this server. But still you are mainly responsible for this problem.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:Domenic DiPasquale
ID: 40562217
Our website is hosted by someone else, so I'm assuming the issue is on there end?
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562219
Also, what utility did you use to get this result?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40562221
Of course, I thought you were in charge. The person in charge of the website is responsible, yes.

I used Wireshark, luckily it wasn't encrypted though, otherwise I might still be searching for the problem. Just copy and forward what I posted to the webserver admin or webmaster.
0
 

Author Comment

by:Domenic DiPasquale
ID: 40562262
Thank you for your help, I've forwarded the information to the web server admin.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question