Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Weird: Google search result for my site leads to virus-installing fake site

  1. #1
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Question Weird: Google search result for my site leads to virus-installing fake site

    Got a note from a member of a forum hosted on my dedicated server today - he said that the result of a search for "glastarnet" takes him to a fake site that tries to install anti-virus software. (Glastarnet.org is my site.)

    I tried it from my PC and my Mac and sure enough, clicking on the very legitimate-looking link redirects me to scanner-promain.com where it attempts to install stuff but is blocked by my anti-virus software.

    The odd thing is that Google's cache is ok. Even hovering over the link shows the correct address in the status bar in Firefox, but clicking it redirects me to scanner-promain.com/2009/9/freescan.php?aid=880147

    So now I'm puzzled. Is Google's db infected with this fake redirect?

    The attack originates from scanner-promain.com (84.16.252.73, 80)

    Any guidance on what, if anything I can do about this would be appreciated.

    Thanks!

  2. #2
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,389

    Default

    I've never seen that before but it leads me to belive the forum script has been cleverly compromised. Have you tried a fresh install of the software and imported the DB? It seems to me like there is something in the script that looks for a referrer as google and when it sees that it redirects the browser. The for everyday you and me that access the site via typing the domain it looks like a regular old forum.

    Thats where I would start and see what happens.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  3. #3
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    After posting here I did some reading and stumbled upon various reports aboud DNS poisoning at Google and some other search engines. Any thoughts on this?

  4. #4
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Even though hovering over the Google search result shows the correct link in the status bar, this is the actual URL:

    HTML Code:
    ttp://www.google.com/url?sa=t&ct=res&cd=3&url=http%3A%2F%2Fwww.glastarnet.org%2F&ei=slOySLO8E5y0iAHX56iEDw&usg=AFQjCNGcA7WfwmK_Er8Ub_uJtoR-9JzGTA&sig2=B5meRTfXsaDY2vVd26kOsg
    So it may be possible that Google's DNS or whatever has been altered.
    Last edited by omarfilip; 08-25-2008 at 02:43 AM.

  5. #5
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,389

    Default

    When I hover over the link to the site and right-click the option to save the url to my clipboard it saves the correct URL which is why I think it has to do with the script seeing the referrer of this site. I suppose it would be best to ask google on it if you don't want to re-install the software to find out.
    Last edited by Matt; 08-25-2008 at 02:48 AM.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  6. #6
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Really, you don't get the long URL like I posted above? I had to omit the "H" at the begining so this forum wouldn't parse the link.

  7. #7
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Another question: If you go tho the cached version and click on any of the forum links you are taken to a regular forum page even though you are technically being referred from Google. No?

  8. #8
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Firefox is the only browser which shows the long URL like I posted above. Opera, IE and Safari show the short correct URL.

  9. #9
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,389

    Default

    I'd suggest and upgrade of the script, PHPBB 2 has more holes in it than swiss cheese. In the worst case you'd be doing yourself a favor by upgrading to v3 who has newer code and is being maintained. And in the best case you would get rid of this issue.

    Let us know what google has to say about it but I am certain they will say the same thing, as a matter of fact, I am not sure it is even google I think the script is taking any referrers and redirecting them.

    Check it out:
    GlastarNet: Glastar and Sportsman Forum :: Index

    This forum is set to rewite the URL to use the page title instaed, but the only thing I have in the source for this post is
    Code:
    http://www.glastarnet.org/
    and as you can see it happens from a link here as well. Now type the url in your instant messenger or address bar directly and it loads fine.,,,
    Last edited by Matt; 08-25-2008 at 03:11 AM.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  10. #10
    omarfilip's Avatar
    omarfilip is offline Nearly a Master Glow Jedi
    Join Date
    Jan 2008
    Location
    Dallas, TX
    Posts
    127

    Default

    Well, that's odd. Your link produces the same redirect as Google, but the link for Glastarnet on Cool Airplane :: Building the GlaStar works normally. Do you get the same result?

    I'm stuck with v2 until there is a Mail2Forum plugin for v3. It's essential for us.
    Last edited by omarfilip; 08-25-2008 at 03:33 AM.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16