Weird: Google search result for my site leads to virus-installing fake site

[omarfilip]

Got a note from a member of a forum hosted on my dedicated server today - he said that the result of a search for "glastarnet" takes him to a fake site that tries to install anti-virus software. (Glastarnet.org is my site.)

I tried it from my PC and my Mac and sure enough, clicking on the very legitimate-looking link redirects me to scanner-promain.com where it attempts to install stuff but is blocked by my anti-virus software.

The odd thing is that Google's cache is ok. Even hovering over the link shows the correct address in the status bar in Firefox, but clicking it redirects me to scanner-promain.com/2009/9/freescan.php?aid=880147

So now I'm puzzled. Is Google's db infected with this fake redirect?

The attack originates from scanner-promain.com (84.16.252.73, 80)

Any guidance on what, if anything I can do about this would be appreciated.

Thanks!

[Matt]

I've never seen that before but it leads me to belive the forum script has been cleverly compromised. Have you tried a fresh install of the software and imported the DB? It seems to me like there is something in the script that looks for a referrer as google and when it sees that it redirects the browser. The for everyday you and me that access the site via typing the domain it looks like a regular old forum.

Thats where I would start and see what happens.

[omarfilip]

After posting here I did some reading and stumbled upon various reports aboud DNS poisoning at Google and some other search engines. Any thoughts on this?

[omarfilip]

Even though hovering over the Google search result shows the correct link in the status bar, this is the actual URL:

HTML Code:

ttp://www.google.com/url?sa=t&ct=res&cd=3&url=http%3A%2F%2Fwww.glastarnet.org%2F&ei=slOySLO8E5y0iAHX56iEDw&usg=AFQjCNGcA7WfwmK_Er8Ub_uJtoR-9JzGTA&sig2=B5meRTfXsaDY2vVd26kOsg

So it may be possible that Google's DNS or whatever has been altered.

[Matt]

When I hover over the link to the site and right-click the option to save the url to my clipboard it saves the correct URL which is why I think it has to do with the script seeing the referrer of this site. I suppose it would be best to ask google on it if you don't want to re-install the software to find out.

[omarfilip]

Really, you don't get the long URL like I posted above? I had to omit the "H" at the begining so this forum wouldn't parse the link.

[omarfilip]

Another question: If you go tho the cached version and click on any of the forum links you are taken to a regular forum page even though you are technically being referred from Google. No?

[omarfilip]

Firefox is the only browser which shows the long URL like I posted above. Opera, IE and Safari show the short correct URL.

[Matt]

I'd suggest and upgrade of the script, PHPBB 2 has more holes in it than swiss cheese. In the worst case you'd be doing yourself a favor by upgrading to v3 who has newer code and is being maintained. And in the best case you would get rid of this issue.

Let us know what google has to say about it but I am certain they will say the same thing, as a matter of fact, I am not sure it is even google I think the script is taking any referrers and redirecting them.

Check it out:
GlastarNet: Glastar and Sportsman Forum :: Index

This forum is set to rewite the URL to use the page title instaed, but the only thing I have in the source for this post is

Code:

http://www.glastarnet.org/

and as you can see it happens from a link here as well. Now type the url in your instant messenger or address bar directly and it loads fine.,,,

[omarfilip]

Well, that's odd. Your link produces the same redirect as Google, but the link for Glastarnet on Cool Airplane :: Building the GlaStar works normally. Do you get the same result?

I'm stuck with v2 until there is a Mail2Forum plugin for v3. It's essential for us.