[Hidden-tech] malicious redirect? 2 sites with related problems, different symptoms

Rich@tnr rich at tnrglobal.com
Wed Dec 18 21:49:33 UTC 2019 

I am not seeing any specific issue - although I see some odd behavior

This might help -- trying the URL http://www.fambizpv.com/ works
BUT http://fambizpv.com/ does not - initially
It can be confusing because of caching - once it works the browser uses 
the www. version
This looks like a godaddy setup issue

This consistently produces an error: 
https://www.umass.edu/fambiz/about/donations.html
as does clicking on the link in the comments below

I'd also run a web virus checker - there are web site corruptions that 
are browser dependent.
Here are some tools: https://geekflare.com/website-malware-scanning/
Exactly which you can use depends a lot on the web server and setup in use

A easy test (if you can do it) is to run a diff between your wordpress 
install
and the original wordpress sources -- there are file corruptions that 
can be hacked into your
side that only show up when coming from a search like google.
They show up when comparing the original files and usually look like either:
1) and include at the bottom of the WP index.php or wp-config.php
2) messy Javascript at the start of theme files -- often to the extreme 
right where you might miss them.

Rich

On 12/18/2019 4:15 PM, Ira Bryck wrote:
>
> Thank you
>
> Irabryck.com is a wordpress site, seems like malicious redirect to 
> Cialis ads
>
> Fambizpv.com is a dreamweaver site, getting the interval server error 
> message
>
> Both are hosted by go daddy
>
> Thanks
>
> I also got a long explanation from a UMass IT friend – here it is – 
> I’m ready to get on the phone with go daddy again, if needed, but if 
> they are not the problem or solvers, I’d pay a reasonable amount for a 
> local tech person to fix this:
>
> The first thing I find confirms your reports. I get a server error at 
> fambizpv.com. Specifically, When I hover over the link in the search 
> results, the URL that shows up in the status bar is fambizpv.com. When 
> I click on the link, the URL in the address bar is the same, 
> fambizpv.com. But if I copy that link in the search results, and then 
> paste, I get the following:
>
> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjACegQIBBAB&url=http%3A%2F%2Ffambizpv.com%2F&usg=AOvVaw2OEMgEAOPkdGiw8JJsPoa9
>
> When I click on the link in the search results for irabryck.com, I get 
> the pill mill site. Again, if I enter the URL myself, again, using 
> private browsing, I get the proper site. When I hover over the link, 
> the URL in the status bar shows up like this:
>
> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjAAegQIARAC&url=http%3A%2F%2Firabryck.com%2F&usg=AOvVaw07e6tVudvWD76Bp5dt4cQu
>
> If I copy and paste the URL, it's exactly the same. When I follow that 
> link, I briefly see irabryck.com in the address bar, then it redirects 
> to the pill mill 
> site:https://itashopo.com/search.html?key=cialis&t=dec107_100
>
> So the server error behavior on fambiz.com seems problematic. I would 
> normally treat that straightforwardly like it's what it appears to be, 
> a server error. But the fact that typing in the proper URL works, 
> doesn't make sense in the straightforward error scenario. Clicking on 
> the link should bring you to precisely the same place as typing the 
> URL. The fact that one works, and the other doesn't tells me there's 
> something unseen happening.
>
> With irabryck.com, it's obvious that there's a malicious redirect 
> occurring. I don't know how you get GoDaddy to responsibly attend to 
> this. Maybe some of this information will help. If a technician isn't 
> getting you somewhere, I might ask to speak to a supervisor until you 
> get someone responsive.
>
> The fact that those links come up at the top of the search results 
> when I search for your name, or family business center, shows that 
> this is not a SEO issue. That's the correct behavior. What happens 
> when you click on the link is not.
>
> *From: *Hidden-discuss <hidden-discuss-bounces at lists.hidden-tech.net> 
> on behalf of Hidden tech list <hidden-discuss at lists.hidden-tech.net>
> *Reply-To: *"rich at tnrglobal.com" <rich at tnrglobal.com>
> *Date: *Wednesday, December 18, 2019 at 4:06 PM
> *To: *Hidden tech list <hidden-discuss at lists.hidden-tech.net>
> *Subject: *Re: [Hidden-tech] Google AdWOrds issue
>
> can't look further without knowing the real URL - hosting service 
> might help also
>
> On 12/18/2019 2:43 PM, Al Canali via Hidden-discuss wrote:
>
>     A client of mine cannot run their Google Adwors account because,
>     according to Google, there is a 500 error caused by this url
>     https://websitename.com/favicon.ico
>
>
>       Internal Server Error
>
>     The server encountered an internal error or misconfiguration and
>     was unable to complete your request.
>
>     Please contact the server administrator at to inform them of the
>     time this error occurred, and the actions you performed just
>     before this error.
>
>     More information about this error may be available in the server
>     error log.
>
>     Additionally, a 500 Internal Server Error error was encountered
>     while trying to use an ErrorDocument to handle the request.
>
>     Anyone have any experience with this? What did you do?
>
>
>
>     _______________________________________________
>
>     Hidden-discuss mailing list - home page:http://www.hidden-tech.net
>
>     Hidden-discuss at lists.hidden-tech.net  <mailto:Hidden-discuss at lists.hidden-tech.net>
>
>     You are receiving this because you are on the Hidden-Tech Discussion list.
>
>     If you would like to change your list preferences, Go to the Members
>
>     page on the Hidden Tech Web site.
>
>     http://www.hidden-tech.net/members
>
> -- 
> Rich Roth
> CEO TnR Global
> Bio and personal blog:http://rizbang.com
> Building the really big sites:http://www.tnrglobal.com
> Small/Soho business in the PV:http://www.hidden-tech.net
> Places to meet for business:http://www.meetmewhere.com
> And for relaxation:http://www.welovemuseums.com
>       http://www.artonmytv.com/
> Helping move the world:http://www.earththrives.com

-- 
Rich Roth
CEO TnR Global

Bio and personal blog: http://rizbang.com
Building the really big sites:      http://www.tnrglobal.com
Small/Soho business in the PV:        http://www.hidden-tech.net
Places to meet for business:        http://www.meetmewhere.com
And for relaxation:        http://www.welovemuseums.com
      http://www.artonmytv.com/
Helping move the world:             http://www.earththrives.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20191218/270cc41d/attachment-0001.html>

Google
More information about the Hidden-discuss mailing list