URL within my website was/is redirecting to spam [ColdFusion]

Hi,

I notice the other day, and I don’t know how long this has been happening for, that a URL within my website is re-directing to some Armani Suit site!!

Nothing to do with me and nothing to do with out product/services.

I understand how to re-direct a website, but for that I need access to the hosting server or at least FTP.

What is happening is if you go to www.example.com/images/icons/index.cfm you are re-directed to an Armani suit page. But I have not set this up, my developer says that he has not done this. And I have asked him to check the server and he says no one has hacked it.

And I ran scans of site to check for malware etc. nothing…

So how can this happen?

Unless I am being naive, and the developer is pulling a fast one!!

I have posted the URL with Google’s ‘De-index’ and this they have confirmed has been removed from their index. Any help or advice would be most appreciated. As I would love to get to the bottom of this or get a better idea of how it could have happened.

Many thanks in advance

Have you had a sudden spate of visitors requesting that URL? It doesn’t look like one I can imagine anybody actually entering, so it wouldn’t seem to be very effective as a hack, but who knows?

I know your developer says the site hasn’t been hacked, but if you didn’t set this up, and he didn’t set this up, who else is left? Does anybody else have access? I had three sites hacked some time ago. Two of them had directories added, but the third had files added to the cgi-bin, which I wouldn’t have noticed, had I not been scrutinising all my sites closely.

No idea what kind of site you’ve got but if you have something where users can post comments and such they could easily setup some sort of XSS attack and use javascript to redirect a browser.

I would use something like wget or httpie to get the source and see what is going on first.

Hi,

Many thanks for the response. The website is developed using COldfusion, and there are no comments facilities.

As for using wget or httpie I don’t know what these are, as this is all new to me :slight_smile: help :slight_smile:

They are small command line utilities that will fetch a file on the web without any of the code in it being ‘active’ as it would be when directly accessing it via a browser.
By viewing the source of the fetched file you can check whether the redirect is being performed by a javascript injected into the page or by other means, which will help you track down the root cause of the issue.

Ok thanks I will get our developer to install on server to check the URL that is hacked…

You don’t have to install on a server, you can run from your own desktop

Hi my developer has completed the check using wget

And this is the result when tested and the aforementioned URL

C:\Program Files (x86)\GnuWin32\bin>wget http://mywebsite.co.uk/images/icons/ind
ex.cfm
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc
–2014-02-11 13:50:51-- http://mywebsite.co.uk/images/icons/index.cfm
Resolviendo mywebsite.co.uk… 194.150.253.106
Connecting to mywebsite.co.uk|194.150.253.106|:80… conectado.
Petición HTTP enviada, esperando respuesta… 301 Moved Permanently
Localización: http://www.mywebsite.co.uk [siguiendo]
–2014-02-11 13:50:52-- http://www.mywebsite.co.uk/
Resolviendo www.mywebsite.co.uk… 194.150.253.106
Connecting to www.mywebsite.co.uk|194.150.253.106|:80… conectado.
Petición HTTP enviada, esperando respuesta… 200 OK
Longitud: no especificado [text/html]
Saving to: index.html.1' [ <=> ] 29.729 22,8K/s in 1,3s 2014-02-11 13:50:57 (22,8 KB/s) - index.html.1’ saved [29729]

C:\Program Files (x86)\GnuWin32\bin>

So I don’t know what any of this means, I have changed the URL and IP address only.

As for whether it was an affective hack or not, the idiot who has done this has created several hundred back links to the URL which has been picked up by Google, which has created merry hell, as we had a partial notice already!!!

So although I would love to know how and why and by whom this has happened. My main concern is getting the sh1te back links removed. And get to back to concentrating on getting the back links I know were bad in the first place :slight_smile:

Such is life though!!!

The google element and bad back links is not really anything to do with this forum post, so sorry for taking my quest for help slightly away from the hacking element…Any further help with the hacking would be most appreciated.

dklynn has posted instructions for recovering from a hack: http://www.sitepoint.com/forums/showthread.php?634630-Resources-on-web-application-security&p=5324870&viewfull=1#post5324870

I wouldn’t worry too much about Google. Sort out the site, get it cleaned up and then submit a reconsideration request through Webmaster Tools. Explain the site was hacked and the steps you’ve taken to clean it up. Only one of my three hacked sites had been picked up by Google (it happened while I was away, with no Internet access) but they acted quickly on the reconsideration and there were no lasting ill-effects.

Hi Thanks,

I have been through all that, and I still cannot find how, why, what this idiot did…or whoever it was. I mean I am not interested in the Why, just the how.

As for Google, apart from the Partial Notice, I know and will be getting a reconsideration for the spam links to the hacked page. I have already got the hacked page removed from Google Index.

Regards

Rob

Two of my sites were hacked via FTP. When I looked at the logs, there had been access from an IP address that wasn’t mine. I never did find out how the third one was accessed. I subsequently changed hosting company, as I discovered the hosts I was with were useless when it came to security, and basically not interested in the problem.

That sounds familiar :slight_smile:

[ot]

Then you definitely have my sympathy. :slight_smile:

The hosting company kept insisting the problem was at my end, because there couldn’t be anything wrong at their end - so I’m afraid I took a rather grim delight in the fact that they were hacked a couple of months later. :slight_smile: [/ot]

You’ve saved an html page that is being output by the server side script. You can now open this with an editor and look at the code to see whether the redirection is being performed by javascript. This will help work out where the flaw in your site is.

I have just downloaded, and the contents of the file are as I posted previously.

Unfortunately I do not have direct access, so I can only presume the developer to run wget correctly.

What you posted before is what the command line prompt has output, not the content of the downloaded file.

Wood1e2: Were you able to figure out what was going on here. Having similar issue,