locked
OT - site hacked - ping the regulars RRS feed

  • Question

  • One way or another my ownertrades.com site got hacked. I contacted Arvixe and they responded in a timely manner (yes, it's true) and said they would be happy to fix it, so we will see.

    The situation is that there is a some javascript that I cannot see that runs when a search result link is clicked. So if you for example google "ownertrades" you come up with a warning the the site may be hacked, and if you click on one of links, it takes you to a site selling sunglasses or sporting goods or whatever. Dont test that -- malware bytes blocks a malicious website in the process.

    I cannot see the code that is running, re-uploading a new affected page does no good.  And the weird thing is if I go directly to the page, there is no problem.  The redirecting only happens when the when one tries to go to the page by clicking on a search result link.

    Anyone have experience with this? I assume Arvixe will fix it, and in the meantime I am reading up on it courtesy of Google, but one thing I would like to understand is how I could myself manage to see and remove the offending javascript code. And of course, I would like to understand how this could happen.  And why the heck would anyone  target such a low traffic site in the first place

    Geez.


    ClarkNK AKA HomePage Doctor
    Database Tutorials Using ASP.NET Controls


    • Edited by ClarkNK Sunday, April 17, 2016 12:16 PM typo
    Sunday, April 17, 2016 12:14 PM

All replies

  • I have subsequently found and removed an unauthorized user, plus an html file, and asp file, and several php files that were in my root directory.  That's part way there.

    Now anyone clicking on a search link gets a 404 error, while for anyone going directly to a site page everything works normally.

    First step by Arvixe was to ask me for a screen shot of my error -- this after i told them that anyone clicking on a search result link is redirected to a different website.  Hope they eventually give real assistance, and have an idea how this happened in the first place

    More Geez.


    ClarkNK AKA HomePage Doctor
    Database Tutorials Using ASP.NET Controls

    Sunday, April 17, 2016 1:49 PM
  • Hi Clark:

    This happened to me with a client site at Arvixe. Somehow a .php file (written in a foreign language) had been added to the site and was picked up by the search engines as the site's home page. I logged into the site using Arvixe's File Manager and deleted the file. It did take a while for the search engines to notice and reindex the site. 


    ~ Kathleen Anderson


    Spider Web Woman Designs


    Sunday, April 17, 2016 1:57 PM
  • You may also want to do a search for: Google redirect virus, if it happens with other sites too.


    Expression Web MVP

    Sunday, April 17, 2016 4:40 PM
  • I just did a Bing search on "Free Marriott Exchange" and the result is here

    The second one for Oakley Military and Government sales" comes up as a link to one of my ownertrades.com pages, so the Bing search engine thinks the Oakley stuff is part of my site

    Of course, all links now lead to a 404 error.

    Maybe you are suggesting that waiting until the search engines come around again will fix things since I deleted the offending files?  At least the ones I could find ---



    ClarkNK AKA HomePage Doctor
    Database Tutorials Using ASP.NET Controls

    Monday, April 18, 2016 3:11 AM
  • Hmm -- that seems to be a virus that redirects to Google or Google-like sites, which is not what is happening.

    ClarkNK AKA HomePage Doctor
    Database Tutorials Using ASP.NET Controls

    Monday, April 18, 2016 3:15 AM
  • I found a few more php and asp files on the live site and deleted them

    I also found a web.config file in the cgi-bin folder of the root directory. Such a file does not exist on my local site, and it has something to do with IIS, it could be something necessary for the live site, I dont know.

    Can anyone tell me what this file does? I am wondering if it is part of the problem. Here is the code:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <handlers accessPolicy="Read, Execute, Script" />
        </system.webServer>
    </configuration>


    ClarkNK AKA HomePage Doctor
    Database Tutorials Using ASP.NET Controls

    Monday, April 18, 2016 12:02 PM
  • That lets script files in that folder be read and executed.   It's required if you are using any cgi scripts, which would be in that cgi-bin folder if you were.


    Kathleen Wilber
    BrightWillow - ASP.NET applications

    Monday, April 18, 2016 3:01 PM
  • Hmm -- that seems to be a virus that redirects to Google or Google-like sites, which is not what is happening.

    ClarkNK AKA HomePage Doctor
    Database Tutorials Using ASP.NET Controls

    There are several versions of it IIRC.

    Expression Web MVP

    Monday, April 18, 2016 5:40 PM
  • OK guys, everyone has been very helpful, and I think I have finally got it fixed.

    I removed that scripts statement because I dont use any cgi scripts.

    And I found a redirecting thingy in the system.web section of my web.config file that I deleted, along with all the assorted php, and asp files etc sprinkled through the site.  

    So now when someone Googles to find my site. the remaining thing is to get rid of the "this site may be hacked" warning, which will obviously keep people from clicking the link (which now works as it should).  I have done what Google says to do, so hopefully they will re-crawl the site soon and that should be that.

    I still am asking Arvixe if their server has been compromise -- I mean how did someone get themselves listed as a user with admin privileges in the first place??  And just in case, I made the password for access to the control panel a whole lot harder!!

    By the way, Arvixe has responded several times to the ticket.  Although they were not part of the solution. That was between this, an asp.net group, a Google group, and me.

    Thank you everyone.


    ClarkNK AKA HomePage Doctor
    Database Tutorials Using ASP.NET Controls

    Monday, April 18, 2016 9:18 PM
  • Hi Clark,

    If you don't already have it, you need to sign up for google console (formally google webmaster tools).  The Console provide all types of information about your site.  Here is a link which will both take you to good console, and provide you with information on how to fix hacked sites.

    https://www.google.com/webmasters/#?modal_active=none

    Best,

    Peter

    Friday, May 6, 2016 5:41 AM