Hacked site, anyone seen this before?

There is a site I found thats been hacked, the owners are trying hard to find where or what the problem might be but have so far found absolutly nothing.

What happens is that sometimes when you visit the site, you get redirected to a hackers site, which then tries to install a trojan.

It doesnt happen all the time. For example when I visited the site just now it was fine, but when someone from Canada visited the site they got redirected (his virus program detected and stopped the trojan).

So its some sort of Geo targetting exploit, but where and how.

Anyone heard of anything like this?

Re: Hacked site, anyone seen this before?

bjorn - it’s not likely to be geo ip since it did the same thing to me. and i have seen this happen to a bunch of people. some had it happen through a script they were using (look on adx to see what i’m talking about) and some were done through keystroke loggers or other issues on the webmaster’s side. or perhaps their host wasn’t fast getting important security updates installed.

Re: Hacked site, anyone seen this before?

Could it be a DNS exploit? There was an issue a month or so ago about “DNS cash poisioning”. Basically hackers can change the cache on intermediate DNS servers and redirect people to other sites…

Re: Hacked site, anyone seen this before?

is it a series of code at the bottom of the page ??

Re: Hacked site, anyone seen this before?

From the sound of it, DNS poisoning may be the most likely culprit. If one of the nameservers is corrupted and the other is not, some people will be hitting the correct site and some will hit the corrupt site.

Easy and cheap way to check is to get a free DNS account at zoneedit.com, point DNS to wherever the server is now, and then change DNS in the registrar to Zoneedit. If the problem goes away, it was cache poisoning.

Re: Hacked site, anyone seen this before?

I had this happen to my sites almost a year ago. Mine was a short special iframe that contained a redirect code inserted by a hacker to redirect my traffic to his or to a sponsor site for which he was the affiliate. He installed his iframes and scripts by using a malicious keylogger and then with free access to my domain(s) had a good time installing scripts at will. Many of these he installed had delays in them giving me a sense that he had missed that particular site, when in fact it was just a longer deceptive delay.

Re: Hacked site, anyone seen this before?

Def sounds like dns to me. I have seen a problem with a large host about a year back when pretty much every domain hosted on this hosts name servers was effected.

I never spent the time to work out what was going on but some one make some cash off that one.

Re: Hacked site, anyone seen this before?

first thing I would check is the server, this sounds more like a rootkit than a dns exploit. Have the hosting company do rootkit scans and security sweeps, check everything - especially temp files or any folder that has 777 permissions. Also make sure you check for hidden files.

Re: Hacked site, anyone seen this before?

I think I found the problem. Its real nasty… So if anyone gets the same here is a explenation of what it is:

http://johnmu.com/hack-hidden-redirect/

Re: Hacked site, anyone seen this before?

[QUOTE=gaydemon;20753]I think I found the problem. Its real nasty… So if anyone gets the same here is a explenation of what it is:

http://johnmu.com/hack-hidden-redirect/[/QUOTE]

Wow! You must have really dug around for that one! Sounds pretty close to home. Seems like a monster to detect it if you ever get something like that on your server.

Re: Hacked site, anyone seen this before?

Yes, im glad its not me with the problem. I think it really came down to unsecure server which didnt had not been patched up and upgraded when it shoudl have been.

Re: Hacked site, anyone seen this before?

As I thought, a server exploit. I have seen this once in the past, when a potential client asked me what was going wrong with their traffic on their existing self-managed server. I looked at the currently running programs on his server and found certain temp files were being accessed repeatedly. I then checked the temp files and found references to bizarre system files, which I checked and found to be redirecting all search engine traffic for his entire server! As they were system files, they ran as hidden plus they were impossible to delete. When a server gets this rooted, the only way to recover is a complete rebuild and re-upload of known good files.

Let this be a lesson, if you are not technical, do not use a self-managed server. Go with a fully managed hosting provider that locks down your server and keeps it updated and secured.

Re: Hacked site, anyone seen this before?

Yup, couldnt be more right. :slight_smile:

I think thats how they are sorting out the issue, rebuilding a new server.

Plus security is so important, hacking happens more often than people might realize.

[quote=HunkMoneyLuke;20793]As I thought, a server exploit. I have seen this once in the past, when a potential client asked me what was going wrong with their traffic on their existing self-managed server. I looked at the currently running programs on his server and found certain temp files were being accessed repeatedly. I then checked the temp files and found references to bizarre system files, which I checked and found to be redirecting all search engine traffic for his entire server! As they were system files, they ran as hidden plus they were impossible to delete. When a server gets this rooted, the only way to recover is a complete rebuild and re-upload of known good files.

Let this be a lesson, if you are not technical, do not use a self-managed server. Go with a fully managed hosting provider that locks down your server and keeps it updated and secured.[/quote]

Re: Hacked site, anyone seen this before?

this is not what i wanted to read first thing on a beautiful monday morning.

son of a bitch. fucking hackers.