SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    SitePoint Member
    Join Date
    Mar 2009
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    URL within my website was/is redirecting to spam [ColdFusion]

    Hi,

    I notice the other day, and I don't know how long this has been happening for, that a URL within my website is re-directing to some Armani Suit site!!

    Nothing to do with me and nothing to do with out product/services.

    I understand how to re-direct a website, but for that I need access to the hosting server or at least FTP.

    What is happening is if you go to www.example.com/images/icons/index.cfm you are re-directed to an Armani suit page. But I have not set this up, my developer says that he has not done this. And I have asked him to check the server and he says no one has hacked it.

    And I ran scans of site to check for malware etc. nothing....

    So how can this happen?

    Unless I am being naive, and the developer is pulling a fast one!!

    I have posted the URL with Google's 'De-index' and this they have confirmed has been removed from their index. Any help or advice would be most appreciated. As I would love to get to the bottom of this or get a better idea of how it could have happened.

    Many thanks in advance

  2. #2
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,159
    Mentioned
    262 Post(s)
    Tagged
    5 Thread(s)
    Have you had a sudden spate of visitors requesting that URL? It doesn't look like one I can imagine anybody actually entering, so it wouldn't seem to be very effective as a hack, but who knows?

    I know your developer says the site hasn't been hacked, but if you didn't set this up, and he didn't set this up, who else is left? Does anybody else have access? I had three sites hacked some time ago. Two of them had directories added, but the third had files added to the cgi-bin, which I wouldn't have noticed, had I not been scrutinising all my sites closely.

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,629
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    No idea what kind of site you've got but if you have something where users can post comments and such they could easily setup some sort of XSS attack and use javascript to redirect a browser.

    I would use something like wget or httpie to get the source and see what is going on first.

  4. #4
    SitePoint Member
    Join Date
    Mar 2009
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Many thanks for the response. The website is developed using COldfusion, and there are no comments facilities.

    As for using wget or httpie I don't know what these are, as this is all new to me help

  5. #5
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    They are small command line utilities that will fetch a file on the web without any of the code in it being 'active' as it would be when directly accessing it via a browser.
    By viewing the source of the fetched file you can check whether the redirect is being performed by a javascript injected into the page or by other means, which will help you track down the root cause of the issue.

  6. #6
    SitePoint Member
    Join Date
    Mar 2009
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok thanks I will get our developer to install on server to check the URL that is hacked...

  7. #7
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    You don't have to install on a server, you can run from your own desktop

  8. #8
    SitePoint Member
    Join Date
    Mar 2009
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi my developer has completed the check using wget

    And this is the result when tested and the aforementioned URL

    C:\Program Files (x86)\GnuWin32\bin>wget http://mywebsite.co.uk/images/icons/ind
    ex.cfm
    SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
    syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc
    --2014-02-11 13:50:51-- http://mywebsite.co.uk/images/icons/index.cfm
    Resolviendo mywebsite.co.uk... 194.150.253.106
    Connecting to mywebsite.co.uk|194.150.253.106|:80... conectado.
    Petición HTTP enviada, esperando respuesta... 301 Moved Permanently
    Localización: http://www.mywebsite.co.uk [siguiendo]
    --2014-02-11 13:50:52-- http://www.mywebsite.co.uk/
    Resolviendo www.mywebsite.co.uk... 194.150.253.106
    Connecting to www.mywebsite.co.uk|194.150.253.106|:80... conectado.
    Petición HTTP enviada, esperando respuesta... 200 OK
    Longitud: no especificado [text/html]
    Saving to: `index.html.1'
    [ <=> ] 29.729 22,8K/s in 1,3s
    2014-02-11 13:50:57 (22,8 KB/s) - `index.html.1' saved [29729]

    C:\Program Files (x86)\GnuWin32\bin>

    So I don't know what any of this means, I have changed the URL and IP address only.

    As for whether it was an affective hack or not, the idiot who has done this has created several hundred back links to the URL which has been picked up by Google, which has created merry hell, as we had a partial notice already!!!

    So although I would love to know how and why and by whom this has happened. My main concern is getting the sh1te back links removed. And get to back to concentrating on getting the back links I know were bad in the first place

    Such is life though!!!

    The google element and bad back links is not really anything to do with this forum post, so sorry for taking my quest for help slightly away from the hacking element...Any further help with the hacking would be most appreciated.

  9. #9
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,159
    Mentioned
    262 Post(s)
    Tagged
    5 Thread(s)
    dklynn has posted instructions for recovering from a hack: http://www.sitepoint.com/forums/show...=1#post5324870

    I wouldn't worry too much about Google. Sort out the site, get it cleaned up and then submit a reconsideration request through Webmaster Tools. Explain the site was hacked and the steps you've taken to clean it up. Only one of my three hacked sites had been picked up by Google (it happened while I was away, with no Internet access) but they acted quickly on the reconsideration and there were no lasting ill-effects.

  10. #10
    SitePoint Member
    Join Date
    Mar 2009
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Thanks,

    I have been through all that, and I still cannot find how, why, what this idiot did...or whoever it was. I mean I am not interested in the Why, just the how.

    As for Google, apart from the Partial Notice, I know and will be getting a reconsideration for the spam links to the hacked page. I have already got the hacked page removed from Google Index.

    Regards

    Rob

  11. #11
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,159
    Mentioned
    262 Post(s)
    Tagged
    5 Thread(s)
    Two of my sites were hacked via FTP. When I looked at the logs, there had been access from an IP address that wasn't mine. I never did find out how the third one was accessed. I subsequently changed hosting company, as I discovered the hosts I was with were useless when it came to security, and basically not interested in the problem.

  12. #12
    SitePoint Member
    Join Date
    Mar 2009
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    Two of my sites were hacked via FTP. When I looked at the logs, there had been access from an IP address that wasn't mine. I never did find out how the third one was accessed. I subsequently changed hosting company, as I discovered the hosts I was with were useless when it came to security, and basically not interested in the problem.
    That sounds familiar

  13. #13
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,159
    Mentioned
    262 Post(s)
    Tagged
    5 Thread(s)
    Off Topic:

    Quote Originally Posted by wood1e2 View Post
    That sounds familiar
    Then you definitely have my sympathy.

    The hosting company kept insisting the problem was at my end, because there couldn't be anything wrong at their end - so I'm afraid I took a rather grim delight in the fact that they were hacked a couple of months later.

  14. #14
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by wood1e2 View Post


    Saving to: `index.html.1'
    [ <=> ] 29.729 22,8K/s in 1,3s
    2014-02-11 13:50:57 (22,8 KB/s) - `index.html.1' saved [29729]


    So I don't know what any of this means,
    You've saved an html page that is being output by the server side script. You can now open this with an editor and look at the code to see whether the redirection is being performed by javascript. This will help work out where the flaw in your site is.

  15. #15
    SitePoint Member
    Join Date
    Mar 2009
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EastCoast View Post
    You've saved an html page that is being output by the server side script. You can now open this with an editor and look at the code to see whether the redirection is being performed by javascript. This will help work out where the flaw in your site is.
    I have just downloaded, and the contents of the file are as I posted previously.

    Unfortunately I do not have direct access, so I can only presume the developer to run wget correctly.

  16. #16
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,551
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    What you posted before is what the command line prompt has output, not the content of the downloaded file.

  17. #17
    SitePoint Member
    Join Date
    Jul 2014
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wood1e2: Were you able to figure out what was going on here. Having similar issue,


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •