When I search Google for my website, I enter Jonathan Wentworth Associates.
As expected, the site appears at the top of the list. When I click the URL link at the end of the entry it takes me to the site.
However, when I click on the "title" link at the top of the entry it re-routs "people" through to a different URL in seconds and to the trojan.exploit.131 Trojan. If they do not have the latest McAfee or Norton it downloads the Trojan to their computer. McAfee and Norton seems to clean it but our concern is for those who are not real savvy or as committed to keeping their virus protection software up to date.
I assume I have no control over this and it seems there is no real way to contact anyone at Google to find out how to fix this problem.
As John wrote, maybe give more details. Do you mean the results in a google.com search? I still do not understand what links you mean, which is the wrong one and which is the correct one.
You should be able to see the URL in the status bar of the browser when you hover over a link, without clicking on the link.
Is the URL pointing to the trojan malware URL from your site?
You can see the exact URLs of links in a Google search result page if you look at that page with 'view source' from your browser.
> When I search Google for my website, I enter Jonathan Wentworth > Associates.
> As expected, the site appears at the top of the list. > When I click the URL link at the end of the entry it takes me to the > site.
> However, when I click on the "title" link at the top of the entry it > re-routs "people" through to a different URL in seconds and to the > trojan.exploit.131 Trojan. If they do not have the latest McAfee or > Norton it downloads the Trojan to their computer. McAfee and Norton > seems to clean it but our concern is for those who are not real savvy > or as committed to keeping their virus protection software up to date.
> I assume I have no control over this and it seems there is no real way > to contact anyone at Google to find out how to fix this problem.
It sounds like your site was hacked. What you need to do is clean it up. Look for changes in .htaccess (or the addition of such a file in any and all folders - web.config if you are on a windows server). Also check your cgi-bin and notify your hosting provider once you find any altered files. If you do not find any, than still contact your hosting provider so they can see what method is being used to redirect from your URL's to the malware site.
> When I search Google for my website, I enter Jonathan Wentworth > Associates.
> As expected, the site appears at the top of the list. > When I click the URL link at the end of the entry it takes me to the > site.
> However, when I click on the "title" link at the top of the entry it > re-routs "people" through to a different URL in seconds and to the > trojan.exploit.131 Trojan. If they do not have the latest McAfee or > Norton it downloads the Trojan to their computer. McAfee and Norton > seems to clean it but our concern is for those who are not real savvy > or as committed to keeping their virus protection software up to date.
> I assume I have no control over this and it seems there is no real way > to contact anyone at Google to find out how to fix this problem.
> When I search Google for my website, I enter Jonathan Wentworth > Associates.
> As expected, the site appears at the top of the list. > When I click the URL link at the end of the entry it takes me to the > site.
> However, when I click on the "title" link at the top of the entry it > re-routs "people" through to a different URL in seconds and to the > trojan.exploit.131 Trojan. If they do not have the latest McAfee or > Norton it downloads the Trojan to their computer. McAfee and Norton > seems to clean it but our concern is for those who are not real savvy > or as committed to keeping their virus protection software up to date.
> I assume I have no control over this and it seems there is no real way > to contact anyone at Google to find out how to fix this problem.
> When I search Google for my website, I enter Jonathan Wentworth > Associates.
> As expected, the site appears at the top of the list. > When I click the URL link at the end of the entry it takes me to the > site.
> However, when I click on the "title" link at the top of the entry it > re-routs "people" through to a different URL in seconds and to the > trojan.exploit.131 Trojan. If they do not have the latest McAfee or > Norton it downloads the Trojan to their computer. McAfee and Norton > seems to clean it but our concern is for those who are not real savvy > or as committed to keeping their virus protection software up to date.
> I assume I have no control over this and it seems there is no real way > to contact anyone at Google to find out how to fix this problem.
When I do a google search for Jonathan Wentworth Associates the first result is:
Jonathan Wentworth Associates, LTD Welcome to Jonathan Wentworth Associates, a respected resource for world-class orchestral soloists, conductors, opera, chamber music, chamber orchestras, ... www.jwentworth.com/ - 19k - Cached - Similar pages - Note this
The: Jonathan Wentworth Associates, LTD is highlighted and is a link to the web site. If you place the mouse over the link, it shows http://www.jwentworth.com. However, if you click the link it immeately attempts to download the trojan. My McAfee immediatly blocked it.
> When I search Google for my website, I enter Jonathan Wentworth > Associates.
> As expected, the site appears at the top of the list. > When I click the URL link at the end of the entry it takes me to the > site.
> However, when I click on the "title" link at the top of the entry it > re-routs "people" through to a different URL in seconds and to the > trojan.exploit.131 Trojan. If they do not have the latest McAfee or > Norton it downloads the Trojan to their computer. McAfee and Norton > seems to clean it but our concern is for those who are not real savvy > or as committed to keeping their virus protection software up to date.
> I assume I have no control over this and it seems there is no real way > to contact anyone at Google to find out how to fix this problem.
> When I do a google search for Jonathan Wentworth Associates the first > result is:
> Jonathan Wentworth Associates, LTD Welcome to Jonathan Wentworth > Associates, a respected resource for world-class orchestral soloists, > conductors, opera, chamber music, chamber orchestras, ...www.jwentworth.com/- 19k - Cached - Similar pages - Note this
> The: Jonathan Wentworth Associates, LTD is highlighted and is a link > to the web site. If you place the mouse over the link, it showshttp://www.jwentworth.com. However, if you click the link it > immeately attempts to download the trojan. My McAfee immediatly > blocked it.
> Does that help?
> Thank you
> On Aug 21, 8:50 am, kwkcae wrote:
> > When I search Google for my website, I enter Jonathan Wentworth > > Associates.
> > As expected, the site appears at the top of the list. > > When I click the URL link at the end of the entry it takes me to the > > site.
> > However, when I click on the "title" link at the top of the entry it > > re-routs "people" through to a different URL in seconds and to the > > trojan.exploit.131 Trojan. If they do not have the latest McAfee or > > Norton it downloads the Trojan to their computer. McAfee and Norton > > seems to clean it but our concern is for those who are not real savvy > > or as committed to keeping their virus protection software up to date.
> > I assume I have no control over this and it seems there is no real way > > to contact anyone at Google to find out how to fix this problem.
To repeat what Dori wrote, do not follow or check the link to that URL.
It is possible that it depends on the user agent and it is malware when the user agent is a browser and not a bot.
You have to ask your web hosting provider to check this thoroughly and remove what corresponds now on the server to this URL and to check if there is other malware.
We will see what we can find. Just as info for you we downloaded the entire site to our computer and did a virus scann and found nothing in the pages or cgi-bin materials. We also checked the page completely for redirects tht could have been hidden and found nothing.
We are going to approach the web host about this.
Though we are still not sure where we are - Again thank you for all your help.
> To repeat what Dori wrote, > do not follow or check > the link to that URL.
> It is possible that it depends on the user agent > and it is malware when the user agent is a browser > and not a bot.
> You have to ask your web hosting provider > to check this thoroughly and remove what > corresponds now on the server to this URL > and to check if there is other malware.
The trojan isn't in your pages. When calling your domain, a process activates that redirects the user to an IP address which then;
1: puts up a fake McAffee Screen 2: attempts to auto install the trojan 3: has a message telling users to basically "click here" to start the download to protect themselves. The download is yet another virus.
It sounds to me like you are clueless on how these things work. You need to contact your hosting provider.
> We will see what we can find. > Just as info for you we downloaded the entire site to our computer and > did a virus scann and found nothing in the pages or cgi-bin > materials. We also checked the page completely for redirects tht > could have been hidden and found nothing.
> We are going to approach the web host about this.
> Though we are still not sure where we are - Again thank you for all > your help.
> kwkcae
> On Aug 21, 2:38 pm, cristina wrote:
> > To repeat what Dori wrote, > > do not follow or check > > the link to that URL.
> > It is possible that it depends on the user agent > > and it is malware when the user agent is a browser > > and not a bot.
> > You have to ask your web hosting provider > > to check this thoroughly and remove what > > corresponds now on the server to this URL > > and to check if there is other malware.- Hide quoted text -
> The trojan isn't in your pages. When calling your domain, a process > activates that redirects the user to an IP address which then;
I checked the server for redirects and could not find any. There is nothing in the cgi-bin folder and there is nothing in the .htacces file. I checked the index.html and I did not see any redirect scripts and/or Meta tags. There are no PHP files and there are no code files that I could find except for FrontPage. So I do not see how it is coming from the Web Site. I personally went to the site through the Google link and no redirect and no virus. I do get it did I miss something? I will do another scan on the system to see if there is a possible Trojan running in a process in the background.
> > The trojan isn't in your pages. When calling your domain, a process > > activates that redirects the user to an IP address which then;
> I checked the server for redirects and could not find any. > There is nothing in the cgi-bin folder and there is nothing in > the .htacces file. > I checked the index.html and I did not see any redirect scripts and/or > Meta tags. > There are no PHP files and there are no code files that I could find > except for FrontPage. > So I do not see how it is coming from the Web Site. I personally went > to the site > through the Google link and no redirect and no virus. I do get it did > I miss something? > I will do another scan on the system to see if there is a possible > Trojan running in a > process in the background.
Holy crap! yes I just got the trojan - AVG caught it!
Very strange! It's on the official homepage link.
This means that right now the .htaccess file is hacked and it detects the referrer as Google and redirects to an ip address starting with 81. something.
Holys smokes!
Get onto your hoster pronto and demand they dehack the server NOW!
Move your site off that server and inspect every file.
It's those frontpage extensions that are hacked, it has to be that.
> Hi tjfx, > I think you need to find out more details > from the person(s) who noticed this problem, > like their type of web browser and operating system.
> Also check with 'view source' for > the search results page > exactly what link was clicked.
> Usually the main web hosting company has good > information and experience in dealing with malware > concerning their servers.
> Cristina.
> On Aug 22, 6:08 pm, tjfx wrote:
> > > The trojan isn't in your pages. When calling your domain, a process > > > activates that redirects the user to an IP address which then;
> > I checked the server for redirects and could not find any. > > There is nothing in the cgi-bin folder and there is nothing in > > the .htacces file. > > I checked the index.html and I did not see any redirect scripts and/or > > Meta tags. > > There are no PHP files and there are no code files that I could find > > except for FrontPage. > > So I do not see how it is coming from the Web Site. I personally went > > to the site > > through the Google link and no redirect and no virus. I do get it did > > I miss something? > > I will do another scan on the system to see if there is a possible > > Trojan running in a > > process in the background.
> This means that right now the .htaccess file is hacked and it detects > the referrer as Google and redirects to an ip address starting with > 81. something.
None of this is possible, there is no hack. If that was the case it would happen as soon as you put the link http://www.jwentworth.com into your browser. This virus or whatever you want to call it is on your system already or has something to do with Google. I have scanned the entire machine, there is nothing there to redirect you to another site. I have clicked it a thousand times and as a matter of fact the only thing inside the access file pertains to FrontPage properties. There are no scripts and there are no Meta tags within the web site content that point to or redirect you to another site. Again if that was the case it would do it regardless of using Google to get to it. If you can see the link that Google indicated on the lower left hand of your browser (before you click on it,) that would be helpful. This way we could figure out where the Google link is redirecting you to.
Back in January I saw a site that had the exact same hack on it, going to exactly the same IP address. It is most definitely a hack on the server side, you won't find it on the page, you won't find it in the htaccess.
Grab a copy of LiveHTTP headers for Firefox, leave it open and then do the search again. You'll see the above redirection. You can see how it redirects to the other site (only when a Google referrer is shown, ie the bots never see it), that site decided whether or not you get the payload and then redirects you back to your target site.
I wouldn't suggest that you just move to a different hoster just because of a hack (it can happen to anyone), it depends on how they handle it. If they can't find this and if you depend on your website, then I would at least consider moving. Who knows what else they can't find or won't find the next time?
The hack tests the referrer string. If it is Google's search results page it takes you to that nasty site. If you go to the site from anywhere else it won't take you anywhere so you will not be aware of it.
And this hacking is most probably done through an unpatched frontpage extension exploit.
> > This means that right now the .htaccess file is hacked and it detects > > the referrer as Google and redirects to an ip address starting with > > 81. something.
> None of this is possible, there is no hack. If that was the case it > would > happen as soon as you put the linkhttp://www.jwentworth.cominto your > browser. This virus or whatever you want to call it is on your system > already or has something to do with Google. I have scanned the > entire > machine, there is nothing there to redirect you to another site. I > have > clicked it a thousand times and as a matter of fact the only thing > inside > the access file pertains to FrontPage properties. There are no > scripts and > there are no Meta tags within the web site content that point to or > redirect > you to another site. Again if that was the case it would do it > regardless of > using Google to get to it. If you can see the link that Google > indicated on the > lower left hand of your browser (before you click on it,) that would > be helpful. > This way we could figure out where the Google link is redirecting you > to.
The link was the correct link. There is nothing wrong with Google's entry for this site.
I rigth clicked it and copied it and pasted it in the browser. All cool.
I clicked it from the search result - wham! whisked away to a nasty site trying to install a trojan and only just caught by AVG. Had some fun trying to close windows on it too. Oh and it's not javascript, nor meta refresh, I had turned those off. So it is a server-side redirection.
> > This means that right now the .htaccess file is hacked and it detects > > the referrer as Google and redirects to an ip address starting with > > 81. something.
> None of this is possible, there is no hack. If that was the case it > would > happen as soon as you put the linkhttp://www.jwentworth.cominto your > browser. This virus or whatever you want to call it is on your system > already or has something to do with Google. I have scanned the > entire > machine, there is nothing there to redirect you to another site. I > have > clicked it a thousand times and as a matter of fact the only thing > inside > the access file pertains to FrontPage properties. There are no > scripts and > there are no Meta tags within the web site content that point to or > redirect > you to another site. Again if that was the case it would do it > regardless of > using Google to get to it. If you can see the link that Google > indicated on the > lower left hand of your browser (before you click on it,) that would > be helpful. > This way we could figure out where the Google link is redirecting you > to.
> The link was the correct link. There is nothing wrong with Google's > entry for this site.
> I rigth clicked it and copied it and pasted it in the browser. All > cool.
> I clicked it from the search result - wham! whisked away to a nasty > site trying to install a trojan and only just caught by AVG. Had some > fun trying to close windows on it too. > Oh and it's not javascript, nor meta refresh, I had turned those off. > So it is a server-side redirection.
> On Aug 23, 12:28 am, tjfx wrote:
> > > This means that right now the .htaccess file is hacked and it detects > > > the referrer as Google and redirects to an ip address starting with > > > 81. something.
> > None of this is possible, there is no hack. If that was the case it > > would > > happen as soon as you put the linkhttp://www.jwentworth.comintoyour > > browser. This virus or whatever you want to call it is on your system > > already or has something to do with Google. I have scanned the > > entire > > machine, there is nothing there to redirect you to another site. I > > have > > clicked it a thousand times and as a matter of fact the only thing > > inside > > the access file pertains to FrontPage properties. There are no > > scripts and > > there are no Meta tags within the web site content that point to or > > redirect > > you to another site. Again if that was the case it would do it > > regardless of > > using Google to get to it. If you can see the link that Google > > indicated on the > > lower left hand of your browser (before you click on it,) that would > > be helpful. > > This way we could figure out where the Google link is redirecting you > > to.
Complaining to the hoster of the malware will probably not get you very far. In January it was just a redirect to an affiliate sales page (selling a virus-scanner).
I wonder how many sites are hacked like that? I'm not sure if Google recognizes this kind of hack, but the site that I was looking at in January with the same one was banned from Google (though I don't know if it was because of the hack or because of other things).
Would you recognize a hack like that on your site?
Myself? Not unless something strange happend. I don't have access to anythign above my home directory. I'd have to rely on my hsoter to be on top of things. Judging by hwo near-paranoid they are to the point of finding lots of thigns impossible to do on that server (inlcuding phpinfo which has been removed), I think they'd be OK and we'd be protected ... but no I wouldn't know it until it bit me in the face.
I have had a forum hacked but ti was run of the mill hacking, more insulting than anything else.
> Complaining to the hoster of the malware will probably not get you > very far. In January it was just a redirect to an affiliate sales page > (selling a virus-scanner).
> I wonder how many sites are hacked like that? I'm not sure if Google > recognizes this kind of hack, but the site that I was looking at in > January with the same one was banned from Google (though I don't know > if it was because of the hack or because of other things).
> Would you recognize a hack like that on your site?
> It's in your server binaries. When you access the site with a Google > referrer, you are redirected to a known bad page:
First I want to thank you and everyone else for their replies. I will look further into FrontPage Extensions as it is an out of date product and possibly an easier target to exploit since most hackers always aim to hack Microsoft.
I also took the liberty to do as you suggested and Downloaded LiveHTTP for FireFox. Here is what I got after I used the exact link in your message:
HTTP/1.x 204 No Content Cache-Control: private Content-Type: text/html Server: GWS/2.1 Content-Length: 0 Date: Thu, 23 Aug 2007 08:59:59 GMT ----------------------------------------------------------
GET /url?sa=T&ct=res&cd=1&ei=eEzNRpHYLI6meu-s6OoP
However, I do not see any re-directs nor was I ever re-directed when I went to the site using the Google links.
I am using XP and I tried it on both IE and FireFox with no redirects and/or viruses.
If FrontPage was exploited wouldn't it effect all the sites on that server and wouldn't it redirect me and others that used Google to link to the jwentworth site?
Don't get me wrong I will still have the Hosting Company look further into this matter.
tjfx, the hack isn't on Google's page but rather when you click on that link to go to your page (it would be further down in the protocol). Also, something that makes it almost impossible to track down, the hack in January did not do the redirect every time, it seemed as if it would compare IP addresses and not redirect for known addresses or perhaps only redirect say 1 time out of 5 accesses (I did not track that part down, it just wasn't every time).
Use your provider's proxy server and try to access the page again.
If you need more information for your hoster, I can log the redirect from several IPs here and send you the LiveHHTP headers output as well as a log from an Ethernet protocol analyzer (I use Ethereal). Send me a mail through my site if you're interested or if your hoster needs more information. The longer you wait, the higher your chances of Google catching it and putting you on the "stopbadware.org" black-list -- I wouldn't wait too long to get it fixed!
I hate to say this, but some of the hacks, after they infect a computer, allow you to view the site with no redirect. You may be infected. Thats' to trick you into thinking what was installed, saved your butt. Change all your username and passwords and use an online scanner to double check that you are not infected.
It's also possible your provider has found someone hacked the server and corrected that. Not all hacks are done at domain level (ie htaccess, web.config, FP extentions). Many are done at the server level. Not all hosting providers notify their customers that they've been hacked, but trust me, either your domain was hacked or the server was hacked.
> > It's in your server binaries. When you access the site with a Google > > referrer, you are redirected to a known bad page:
> First I want to thank you and everyone else for their replies. I will > look further into FrontPage Extensions as it is an out of date product > and possibly an easier target to exploit since most hackers always aim > to hack Microsoft.
> I also took the liberty to do as you suggested and Downloaded LiveHTTP > for FireFox. Here is what I got after I used the exact link in your > message:
> GET /url?sa=T&ct=res&cd=1&ei=eEzNRpHYLI6meu-s6OoP
> However, I do not see any re-directs nor was I ever re-directed when I > went to the site using the Google links.
> I am using XP and I tried it on both IE and FireFox with no redirects > and/or viruses.
> If FrontPage was exploited wouldn't it effect all the sites on that > server and wouldn't it redirect me and others that used Google to link > to the jwentworth site?
> Don't get me wrong I will still have the Hosting Company look further > into this matter.
|
