[Hidden-tech] malicious redirect? 2 sites with related problems, different symptoms

Ira Bryck ira at fambizpv.com
Wed Dec 18 22:48:18 UTC 2019 

Is this something you could be hired to take care of?

If yes, what would you estimate as the cost?

If not, do you recommend someone else?

Thanks

Ira

Ira Bryck
irabryck.com
fambizpv.com
413-575-5850


________________________________
From: Rich at tnr <rich at tnrglobal.com>
Sent: Wednesday, December 18, 2019 4:49:33 PM
To: Ira Bryck <ira at fambizpv.com>; hidden-discuss at lists.hidden-tech.net <hidden-discuss at lists.hidden-tech.net>
Subject: Re: malicious redirect? 2 sites with related problems, different symptoms


I am not seeing any specific issue - although I see some odd behavior

This might help -- trying the URL http://www.fambizpv.com/ works
BUT http://fambizpv.com/ does not - initially
It can be confusing because of caching - once it works the browser uses the www. version
This looks like a godaddy setup issue

This consistently produces an error: https://www.umass.edu/fambiz/about/donations.html
as does clicking on the link in the comments below

I'd also run a web virus checker - there are web site corruptions that are browser dependent.
Here are some tools: https://geekflare.com/website-malware-scanning/
Exactly which you can use depends a lot on the web server and setup in use

A easy test (if you can do it) is to run a diff between your wordpress install
and the original wordpress sources -- there are file corruptions that can be hacked into your
side that only show up when coming from a search like google.
They show up when comparing the original files and usually look like either:
1) and include at the bottom of the WP index.php or wp-config.php
2) messy Javascript at the start of theme files -- often to the extreme right where you might miss them.

Rich

On 12/18/2019 4:15 PM, Ira Bryck wrote:

Thank you



Irabryck.com is a wordpress site, seems like malicious redirect to Cialis ads



Fambizpv.com is a dreamweaver site, getting the interval server error message



Both are hosted by go daddy



Thanks



I also got a long explanation from a UMass IT friend – here it is – I’m ready to get on the phone with go daddy again, if needed, but if they are not the problem or solvers, I’d pay a reasonable amount for a local tech person to fix this:





The first thing I find confirms your reports. I get a server error at fambizpv.com. Specifically, When I hover over the link in the search results, the URL that shows up in the status bar is fambizpv.com. When I click on the link, the URL in the address bar is the same, fambizpv.com. But if I copy that link in the search results, and then paste, I get the following:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjACegQIBBAB&url=http%3A%2F%2Ffambizpv.com%2F&usg=AOvVaw2OEMgEAOPkdGiw8JJsPoa9

When I click on the link in the search results for irabryck.com, I get the pill mill site. Again, if I enter the URL myself, again, using private browsing, I get the proper site. When I hover over the link, the URL in the status bar shows up like this:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjAAegQIARAC&url=http%3A%2F%2Firabryck.com%2F&usg=AOvVaw07e6tVudvWD76Bp5dt4cQu

If I copy and paste the URL, it's exactly the same. When I follow that link, I briefly see irabryck.com in the address bar, then it redirects to the pill mill site:https://itashopo.com/search.html?key=cialis&t=dec107_100

So the server error behavior on fambiz.com seems problematic. I would normally treat that straightforwardly like it's what it appears to be, a server error. But the fact that typing in the proper URL works, doesn't make sense in the straightforward error scenario. Clicking on the link should bring you to precisely the same place as typing the URL. The fact that one works, and the other doesn't tells me there's something unseen happening.

With irabryck.com, it's obvious that there's a malicious redirect occurring. I don't know how you get GoDaddy to responsibly attend to this. Maybe some of this information will help. If a technician isn't getting you somewhere, I might ask to speak to a supervisor until you get someone responsive.

The fact that those links come up at the top of the search results when I search for your name, or family business center, shows that this is not a SEO issue. That's the correct behavior. What happens when you click on the link is not.



















From: Hidden-discuss <hidden-discuss-bounces at lists.hidden-tech.net><mailto:hidden-discuss-bounces at lists.hidden-tech.net> on behalf of Hidden tech list <hidden-discuss at lists.hidden-tech.net><mailto:hidden-discuss at lists.hidden-tech.net>
Reply-To: "rich at tnrglobal.com"<mailto:rich at tnrglobal.com> <rich at tnrglobal.com><mailto:rich at tnrglobal.com>
Date: Wednesday, December 18, 2019 at 4:06 PM
To: Hidden tech list <hidden-discuss at lists.hidden-tech.net><mailto:hidden-discuss at lists.hidden-tech.net>
Subject: Re: [Hidden-tech] Google AdWOrds issue



can't look further without knowing the real URL - hosting service might help also

On 12/18/2019 2:43 PM, Al Canali via Hidden-discuss wrote:

A client of mine cannot run their Google Adwors account because, according to Google, there is a 500 error caused by this url https://websitename.com/favicon.ico

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Anyone have any experience with this? What did you do?







_______________________________________________

Hidden-discuss mailing list - home page: http://www.hidden-tech.net

Hidden-discuss at lists.hidden-tech.net<mailto:Hidden-discuss at lists.hidden-tech.net>



You are receiving this because you are on the Hidden-Tech Discussion list.

If you would like to change your list preferences, Go to the Members

page on the Hidden Tech Web site.

http://www.hidden-tech.net/members

--

Rich Roth

CEO TnR Global



Bio and personal blog: http://rizbang.com

Building the really big sites:      http://www.tnrglobal.com

Small/Soho business in the PV:        http://www.hidden-tech.net

Places to meet for business:        http://www.meetmewhere.com

And for relaxation:        http://www.welovemuseums.com

     http://www.artonmytv.com/

Helping move the world:             http://www.earththrives.com

--
Rich Roth
CEO TnR Global

Bio and personal blog: http://rizbang.com
Building the really big sites:      http://www.tnrglobal.com
Small/Soho business in the PV:        http://www.hidden-tech.net
Places to meet for business:        http://www.meetmewhere.com
And for relaxation:        http://www.welovemuseums.com
     http://www.artonmytv.com/
Helping move the world:             http://www.earththrives.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20191218/295c7ec7/attachment-0001.html>

Google
More information about the Hidden-discuss mailing list