[Hidden-tech] malicious redirect? 2 sites with related problems, different symptoms

Ira Bryck ira at fambizpv.com
Thu Dec 19 14:45:20 UTC 2019 

Thank you, everyone who contributed your knowledge.

You did identify the problem, and helped me when I called Go Daddy (another communication company with communication problems) and found someone who saw the malware on my 2 problem sites, and will be able to fix it within 12 hours.

(it takes a $70/ per year level of service called “essentials” – where you have to call and tell them to fix it; they supposedly sent an email about it, after the daily scan, but I didn’t see it (may have been in clutter. For $190/ year, the delux plan adds a firewall and just fixes it without you calling in.

Anyway, hope it’s fixed in 12 hours!

Ira Bryck





From: Hidden-discuss <hidden-discuss-bounces at lists.hidden-tech.net> on behalf of Hidden tech list <hidden-discuss at lists.hidden-tech.net>
Reply-To: Sam McClellan <sam at itabix.com>
Date: Wednesday, December 18, 2019 at 9:20 PM
To: Hidden tech list <hidden-discuss at lists.hidden-tech.net>
Subject: Re: [Hidden-tech] malicious redirect? 2 sites with related problems, different symptoms

Sucuri sitecheck only found that the site is down - both www and non www.
https://prnt.sc/qct0er

________________________________
Sam McClellan
Itabix, Inc
One place for all things Web
sam at itabix.com<mailto:sam at itabix.com>
https://itabix.com
Main - 413.587.4600
Toll-free - 877-7ITABIX (877.748.2249)
On 12/18/2019 4:49 PM, Rich at tnr via Hidden-discuss wrote:

I am not seeing any specific issue - although I see some odd behavior

This might help -- trying the URL http://www.fambizpv.com/ works
BUT http://fambizpv.com/ does not - initially
It can be confusing because of caching - once it works the browser uses the www. version
This looks like a godaddy setup issue

This consistently produces an error: https://www.umass.edu/fambiz/about/donations.html
as does clicking on the link in the comments below

I'd also run a web virus checker - there are web site corruptions that are browser dependent.
Here are some tools: https://geekflare.com/website-malware-scanning/
Exactly which you can use depends a lot on the web server and setup in use

A easy test (if you can do it) is to run a diff between your wordpress install
and the original wordpress sources -- there are file corruptions that can be hacked into your
side that only show up when coming from a search like google.
They show up when comparing the original files and usually look like either:
1) and include at the bottom of the WP index.php or wp-config.php
2) messy Javascript at the start of theme files -- often to the extreme right where you might miss them.

Rich
On 12/18/2019 4:15 PM, Ira Bryck wrote:
Thank you

Irabryck.com is a wordpress site, seems like malicious redirect to Cialis ads

Fambizpv.com is a dreamweaver site, getting the interval server error message

Both are hosted by go daddy

Thanks

I also got a long explanation from a UMass IT friend – here it is – I’m ready to get on the phone with go daddy again, if needed, but if they are not the problem or solvers, I’d pay a reasonable amount for a local tech person to fix this:


The first thing I find confirms your reports. I get a server error at fambizpv.com. Specifically, When I hover over the link in the search results, the URL that shows up in the status bar is fambizpv.com. When I click on the link, the URL in the address bar is the same, fambizpv.com. But if I copy that link in the search results, and then paste, I get the following:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjACegQIBBAB&url=http%3A%2F%2Ffambizpv.com%2F&usg=AOvVaw2OEMgEAOPkdGiw8JJsPoa9
When I click on the link in the search results for irabryck.com, I get the pill mill site. Again, if I enter the URL myself, again, using private browsing, I get the proper site. When I hover over the link, the URL in the status bar shows up like this:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjk4_n9vL_mAhVRzlkKHUvpAm8QFjAAegQIARAC&url=http%3A%2F%2Firabryck.com%2F&usg=AOvVaw07e6tVudvWD76Bp5dt4cQu
If I copy and paste the URL, it's exactly the same. When I follow that link, I briefly see irabryck.com in the address bar, then it redirects to the pill mill site:https://itashopo.com/search.html?key=cialis&t=dec107_100
So the server error behavior on fambiz.com seems problematic. I would normally treat that straightforwardly like it's what it appears to be, a server error. But the fact that typing in the proper URL works, doesn't make sense in the straightforward error scenario. Clicking on the link should bring you to precisely the same place as typing the URL. The fact that one works, and the other doesn't tells me there's something unseen happening.
With irabryck.com, it's obvious that there's a malicious redirect occurring. I don't know how you get GoDaddy to responsibly attend to this. Maybe some of this information will help. If a technician isn't getting you somewhere, I might ask to speak to a supervisor until you get someone responsive.
The fact that those links come up at the top of the search results when I search for your name, or family business center, shows that this is not a SEO issue. That's the correct behavior. What happens when you click on the link is not.









From: Hidden-discuss <hidden-discuss-bounces at lists.hidden-tech.net><mailto:hidden-discuss-bounces at lists.hidden-tech.net> on behalf of Hidden tech list <hidden-discuss at lists.hidden-tech.net><mailto:hidden-discuss at lists.hidden-tech.net>
Reply-To: "rich at tnrglobal.com"<mailto:rich at tnrglobal.com> <rich at tnrglobal.com><mailto:rich at tnrglobal.com>
Date: Wednesday, December 18, 2019 at 4:06 PM
To: Hidden tech list <hidden-discuss at lists.hidden-tech.net><mailto:hidden-discuss at lists.hidden-tech.net>
Subject: Re: [Hidden-tech] Google AdWOrds issue


can't look further without knowing the real URL - hosting service might help also
On 12/18/2019 2:43 PM, Al Canali via Hidden-discuss wrote:
A client of mine cannot run their Google Adwors account because, according to Google, there is a 500 error caused by this url https://websitename.com/favicon.ico
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Anyone have any experience with this? What did you do?






_______________________________________________

Hidden-discuss mailing list - home page: http://www.hidden-tech.net

Hidden-discuss at lists.hidden-tech.net<mailto:Hidden-discuss at lists.hidden-tech.net>



You are receiving this because you are on the Hidden-Tech Discussion list.

If you would like to change your list preferences, Go to the Members

page on the Hidden Tech Web site.

http://www.hidden-tech.net/members

--

Rich Roth

CEO TnR Global



Bio and personal blog: http://rizbang.com

Building the really big sites:      http://www.tnrglobal.com

Small/Soho business in the PV:        http://www.hidden-tech.net

Places to meet for business:        http://www.meetmewhere.com

And for relaxation:        http://www.welovemuseums.com

     http://www.artonmytv.com/

Helping move the world:             http://www.earththrives.com

--

Rich Roth

CEO TnR Global



Bio and personal blog: http://rizbang.com

Building the really big sites:      http://www.tnrglobal.com

Small/Soho business in the PV:        http://www.hidden-tech.net

Places to meet for business:        http://www.meetmewhere.com

And for relaxation:        http://www.welovemuseums.com

     http://www.artonmytv.com/

Helping move the world:             http://www.earththrives.com



_______________________________________________

Hidden-discuss mailing list - home page: http://www.hidden-tech.net

Hidden-discuss at lists.hidden-tech.net<mailto:Hidden-discuss at lists.hidden-tech.net>



You are receiving this because you are on the Hidden-Tech Discussion list.

If you would like to change your list preferences, Go to the Members

page on the Hidden Tech Web site.

http://www.hidden-tech.net/members


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20191219/7bf4e9c5/attachment.html>

Google
More information about the Hidden-discuss mailing list