Results 1 to 6 of 6
  1. #1
    Join Date
    Feb 2004

    Unhappy Need Help - Very Smart Hacker!


    Im dealing with a serios problem with many of my websites. This problem is a hack/security breach!

    The damage is killing me because the affected sites have lost their pagerank and all rankings, some are banned by google!

    * The hacker "Redirect" the website "MySite" to a "Page" on another website.

    * The "Page" redirects to "MySite".

    A normal visitor would not notice anything, but search engine spiders do, which results in lose of rankings, pagerank and even ban.

    * I never catch the redirects. "MySite" is always working correctly without problems.

    The hacker is doing this redirect for few hours per day or once day per week. Its like a cron job or something!

    We are talking about 200 websites, which I cant visit daily and check if its hacked with a redirect or not!

    Any ideas where to look in my VPS for such code/hack? How to track the problem?

    Any ideas are appreciated!

  2. #2
    What cms do you use in your websites ?

  3. #3
    Join Date
    Sep 2010
    Assuming you're running some form of linux on the servers ... and you're really sure that your sites are being redirected - a few possibilities might be

    1) Redirection at the web server level(apache - httpd.conf etc.) This kind of redirection would work on all sites..
    2) Redirection at the .htaccess file level which works for each individual directory or site if there's only one .htaccess file for the whole site... This kind of redirection would need to be implemented for each individual directory or site.

    3) Redirection at the code level... For examplle in php something like

    header("Location: Page.php");
    die(); and then that page.php redirects it back to the website itself..

    If you think it;s been setup as a cron job you might want to look under the hood of the cron what kind of jobs are running...

    So you might need to check these places for any breach...

    If it's a mass redirect - that is all 200 sites redirect, in that case it's possible that the redirect might be at the web server level(hhtpd.conf) because it takes lesser work to do so or possibly through an .htaccess file outside the document root (public_html, not too sure about this though)

  4. #4
    Join Date
    Nov 2002
    Portland, Oregon
    Would be great if you can supply one or two of the URLs in question.
    Some WordPress plugins have the potential for malicious redirects/SEO poisioning/clickjacking, (WPPPM comes to mind) and the like. If this is occurring on multiple sites it could also be the result of a mass defacer. This will definitely need an audit....
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  5. #5
    Join Date
    Oct 2008
    Chicago, IL
    Sounds like you may have been hit by something like Darkleech.

    You can run: grep -r open_tty /usr/local/apache/
    to see if your apache binary has been modified (injected with malicious code). The standard apache binary does not make any calls to open_tty.

    This infection causes redirects to be injected into the requests for websites hosted on that server. Typically once a day for each IP address on the server. This sounds like what you're experiencing.

    It doesn't add malicious code to the website files. By infecting the apache binary, it redirects the requests for that website to one of many malicious websites.

    You can't just replace the binary as the hackers have probably set the file attribute on httpd to immutable. You'd have to run:

    chattr -ai /usr/local/apache/bin/httpd before you attempt to replace the binary. (check to see if that is in fact the path to your apache binary).

    Or this could be something similar to Darkleech - another malware variation called Cdorked.A

    Here is a link for remediation:

    One of these sounds like the situation you're experiencing.

  6. #6
    Join Date
    May 2008
    Cusco Perú

Similar Threads

  1. Replies: 10
    Last Post: 10-01-2012, 02:21 PM
  2. iWeb's Smart Layer Vs. Liquidweb's Smart Servers
    By Chaw in forum Dedicated Server
    Replies: 2
    Last Post: 06-05-2011, 04:45 PM
  3. What's a hacker to you?
    By Radix in forum Web Hosting Lounge
    Replies: 8
    Last Post: 04-06-2004, 03:44 AM
  4. Is this a hacker?
    By The_Client in forum Hosting Security and Technology
    Replies: 8
    Last Post: 08-06-2003, 02:28 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts