[Hidden-tech] malicious redirect? 2 sites with related problems, different symptoms

Sam McClellan sam at itabix.com
Wed Dec 18 23:50:50 UTC 2019 

Sucuri sitecheck only found that the site is down - both www and non www.
https://prnt.sc/qct0er

------------------------------------------------------------------------
Sam McClellan
Itabix, Inc
/One place for all things Web/
sam at itabix.com
https://itabix.com
Main - 413.587.4600
Toll-free - 877-7ITABIX (877.748.2249)

On 12/18/2019 4:49 PM, Rich at tnr via Hidden-discuss wrote:
>
> I am not seeing any specific issue - although I see some odd behavior
>
> This might help -- trying the URL http://www.fambizpv.com/ works
> BUT http://fambizpv.com/ does not - initially
> It can be confusing because of caching - once it works the browser 
> uses the www. version
> This looks like a godaddy setup issue
>
> This consistently produces an error: 
> https://www.umass.edu/fambiz/about/donations.html
> as does clicking on the link in the comments below
>
> I'd also run a web virus checker - there are web site corruptions that 
> are browser dependent.
> Here are some tools: https://geekflare.com/website-malware-scanning/
> Exactly which you can use depends a lot on the web server and setup in use
>
> A easy test (if you can do it) is to run a diff between your wordpress 
> install
> and the original wordpress sources -- there are file corruptions that 
> can be hacked into your
> side that only show up when coming from a search like google.
> They show up when comparing the original files and usually look like 
> either:
> 1) and include at the bottom of the WP index.php or wp-config.php
> 2) messy Javascript at the start of theme files -- often to the 
> extreme right where you might miss them.
>
> Rich
>
> On 12/18/2019 4:15 PM, Ira Bryck wrote:
>>
>> Thank you
>>
>> Irabryck.com is a wordpress site, seems like malicious redirect to 
>> Cialis ads
>>
>> Fambizpv.com is a dreamweaver site, getting the interval server error 
>> message
>>
>> Both are hosted by go daddy
>>
>> Thanks
>>
>> I also got a long explanation from a UMass IT friend – here it is – 
>> I’m ready to get on the phone with go daddy again, if needed, but if 
>> they are not the problem or solvers, I’d pay a reasonable amount for 
>> a local tech person to fix this:
>>
>> The first thing I find confirms your reports. I get a server error at 
>> fambizpv.com. Specifically, When I hover over the link in the search 
>> results, the URL that shows up in the status bar is fambizpv.com. 
>> When I click on the link, the URL in the address bar is the same, 
>> fambizpv.com. But if I copy that link in the search results, and then 
>> paste, I get the following:
>>
>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjACegQIBBAB&url=http%3A%2F%2Ffambizpv.com%2F&usg=AOvVaw2OEMgEAOPkdGiw8JJsPoa9
>>
>> When I click on the link in the search results for irabryck.com, I 
>> get the pill mill site. Again, if I enter the URL myself, again, 
>> using private browsing, I get the proper site. When I hover over the 
>> link, the URL in the status bar shows up like this:
>>
>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjAAegQIARAC&url=http%3A%2F%2Firabryck.com%2F&usg=AOvVaw07e6tVudvWD76Bp5dt4cQu
>>
>> If I copy and paste the URL, it's exactly the same. When I follow 
>> that link, I briefly see irabryck.com in the address bar, then it 
>> redirects to the pill mill 
>> site:https://itashopo.com/search.html?key=cialis&t=dec107_100
>>
>> So the server error behavior on fambiz.com seems problematic. I would 
>> normally treat that straightforwardly like it's what it appears to 
>> be, a server error. But the fact that typing in the proper URL works, 
>> doesn't make sense in the straightforward error scenario. Clicking on 
>> the link should bring you to precisely the same place as typing the 
>> URL. The fact that one works, and the other doesn't tells me there's 
>> something unseen happening.
>>
>> With irabryck.com, it's obvious that there's a malicious redirect 
>> occurring. I don't know how you get GoDaddy to responsibly attend to 
>> this. Maybe some of this information will help. If a technician isn't 
>> getting you somewhere, I might ask to speak to a supervisor until you 
>> get someone responsive.
>>
>> The fact that those links come up at the top of the search results 
>> when I search for your name, or family business center, shows that 
>> this is not a SEO issue. That's the correct behavior. What happens 
>> when you click on the link is not.
>>
>> *From: *Hidden-discuss <hidden-discuss-bounces at lists.hidden-tech.net> 
>> on behalf of Hidden tech list <hidden-discuss at lists.hidden-tech.net>
>> *Reply-To: *"rich at tnrglobal.com" <rich at tnrglobal.com>
>> *Date: *Wednesday, December 18, 2019 at 4:06 PM
>> *To: *Hidden tech list <hidden-discuss at lists.hidden-tech.net>
>> *Subject: *Re: [Hidden-tech] Google AdWOrds issue
>>
>> can't look further without knowing the real URL - hosting service 
>> might help also
>>
>> On 12/18/2019 2:43 PM, Al Canali via Hidden-discuss wrote:
>>
>>     A client of mine cannot run their Google Adwors account because,
>>     according to Google, there is a 500 error caused by this url
>>     https://websitename.com/favicon.ico
>>
>>
>>       Internal Server Error
>>
>>     The server encountered an internal error or misconfiguration and
>>     was unable to complete your request.
>>
>>     Please contact the server administrator at to inform them of the
>>     time this error occurred, and the actions you performed just
>>     before this error.
>>
>>     More information about this error may be available in the server
>>     error log.
>>
>>     Additionally, a 500 Internal Server Error error was encountered
>>     while trying to use an ErrorDocument to handle the request.
>>
>>     Anyone have any experience with this? What did you do?
>>
>>
>>
>>     _______________________________________________
>>
>>     Hidden-discuss mailing list - home page:http://www.hidden-tech.net
>>
>>     Hidden-discuss at lists.hidden-tech.net  <mailto:Hidden-discuss at lists.hidden-tech.net>
>>
>>     You are receiving this because you are on the Hidden-Tech Discussion list.
>>
>>     If you would like to change your list preferences, Go to the Members
>>
>>     page on the Hidden Tech Web site.
>>
>>     http://www.hidden-tech.net/members
>>
>> -- 
>> Rich Roth
>> CEO TnR Global
>> Bio and personal blog:http://rizbang.com
>> Building the really big sites:http://www.tnrglobal.com
>> Small/Soho business in the PV:http://www.hidden-tech.net
>> Places to meet for business:http://www.meetmewhere.com
>> And for relaxation:http://www.welovemuseums.com
>>       http://www.artonmytv.com/
>> Helping move the world:http://www.earththrives.com
> -- 
> Rich Roth
> CEO TnR Global
>
> Bio and personal blog:http://rizbang.com
> Building the really big sites:http://www.tnrglobal.com
> Small/Soho business in the PV:http://www.hidden-tech.net
> Places to meet for business:http://www.meetmewhere.com
> And for relaxation:http://www.welovemuseums.com
>       http://www.artonmytv.com/
> Helping move the world:http://www.earththrives.com
>
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20191218/06c720e1/attachment-0001.html>

Google
More information about the Hidden-discuss mailing list