ARGGH! All my sites are being redirected!

by ProEFI
45 replies
Almost out of the blue I started getting redirected to a parked page. The page code is using this iframe:

<iframe src="http://searchdiscovered.com/?pid=5POJ5651L&dn=www.poweredbywlm.com" width="100%" height="100%" frameborder="0"></iframe>

It's happening on ALL of my domains. I tried two other computers in my house and got the same thing. Any suggestions on what to look for? I ran an AVG scan and nothing was found.

Thx
Andrew
#arggh #redirected #sites
  • Profile picture of the author Daniel44
    is it just on your own sites, or on all sites?
    {{ DiscussionBoard.errors[3812603].message }}
  • Profile picture of the author Alexa Smith
    Banned
    Is it possible that your domain-names might have expired? :confused:
    {{ DiscussionBoard.errors[3812605].message }}
  • Profile picture of the author devanhcrow2011
    Yeah that is probably the issue.. By the way if you need a good personalized hosting provider. I own a private hosting company.
    Signature

    Devan Hamlin Crow
    (580)786-1043
    http://www.devanhcrow.com

    {{ DiscussionBoard.errors[3812609].message }}
  • Profile picture of the author JamesGw
    Yeah. It sounds like your domains expired.
    {{ DiscussionBoard.errors[3812616].message }}
  • Profile picture of the author Daniel44
    All of them at once? It sounds to me like someone has got access to his control panel...
    {{ DiscussionBoard.errors[3812621].message }}
  • Profile picture of the author ProEFI
    The domains have not expired. I own about 30 domains from two different registars. Just purchased one last week. Everything was working fine up until about 2 hours ago. It only happens on my domains, I can access everything else.
    {{ DiscussionBoard.errors[3812630].message }}
    • Profile picture of the author sbucciarel
      Banned
      Originally Posted by ProEFI View Post

      The domains have not expired. I own about 30 domains from two different registars. Just purchased one last week. Everything was working fine up until about 2 hours ago. It only happens on my domains, I can access everything else.
      Make certain that you have your nameservers set to your hosting domain only. That would be two nameservers. If you have the default nameservers in there, it will redirect like that.

      The last thread like this ... the guy had two hosting nameservers in there, plus the two default registrar nameservers in there. Once he removed the default ones, the problem disappeared.
      {{ DiscussionBoard.errors[4471339].message }}
  • Profile picture of the author hashbury
    See if its happening to every site you visit not just your own. You could have a browser hijacker.

    If its only on your sites, It would seem to me that your ftp information has been compromised and you should change your passwords asap. Then you will get the fun task of removing the code from all of your websites (if you have a good hosting company they might do this for you) or backing up from an earlier date.
    {{ DiscussionBoard.errors[3812639].message }}
    • Profile picture of the author Daniel44
      Just as I thought, yeah you have been compromised. A lot of people will recommend that you change your password, but it is more likely to have been caused through a script exploit. Take down any not-well-known PHP scripts for now while you assess the damage and fix the sites.

      If you need anything PM me, I have been dealing with security on the web for a lot of years.

      Daniel
      {{ DiscussionBoard.errors[3812660].message }}
      • Profile picture of the author hashbury
        Originally Posted by Daniel44 View Post

        Just as I thought, yeah you have been compromised. A lot of people will recommend that you change your password, but it is more likely to have been caused through a script exploit. Take down any not-well-known PHP scripts for now while you assess the damage and fix the sites.

        If you need anything PM me, I have been dealing with security on the web for a lot of years.

        Daniel
        Script exploit or ftp hack it is still a good idea to change passwords to be on the safe side.
        {{ DiscussionBoard.errors[3812725].message }}
      • Profile picture of the author melofmovement
        Originally Posted by Daniel44 View Post

        Just as I thought, yeah you have been compromised. A lot of people will recommend that you change your password, but it is more likely to have been caused through a script exploit. Take down any not-well-known PHP scripts for now while you assess the damage and fix the sites.

        If you need anything PM me, I have been dealing with security on the web for a lot of years.

        Daniel
        I have multiple wordpress sites that keep getting hacked. I've installed the recommended plugins, cleaned, cleaned, cleaned, change password, change password and change password.

        I'm at a loss, now the site is clean but when i link it on somewhere like facebook it goes to a spam page.

        this is driving me mental, how can i prevent infection and tell the hackers to go eff themselves.
        {{ DiscussionBoard.errors[5450760].message }}
        • Profile picture of the author Karen Blundell
          please, you people who keep posting that his domains expired, when he's posted several times that's not the case, stop and take the time to read the thread before you post something that you have no clue about. Thank you!

          I have seen this happen countless times before with WordPress. It could be a theme or it could be an outdated plugin that a hacker was able to compromise.

          This is the very reason I always strongly recommend that you always update your WordPress version whenever the updates come up, as well as updating your plugins and themes.


          Ramone_Johnny gave you very good advice above, and that is over-write everthing in your wp-admin, wp-includes, wp-content/plugins, and wp-content/themes folders.

          then once you got that done, make sure you've updated everything, core WordPress, plugins, themes if there are any to update, and get rid of any plugins you are not using.


          if you need any further assistance, please do not hesitate to contact me.

          one more thing, just in case you computer is infected with a browser re-direct trojan, download Malwarebytes, update the definition files if you need to, and run a simple scan. Better safe than sorry.

          Good luck!
          Signature
          ---------------
          {{ DiscussionBoard.errors[5450869].message }}
    • Profile picture of the author TG12
      There was another thread about this. Hacked?
      Signature
      Vaoser Link Ninja Software
      DHV Delivery Systems FAILING at online dating???
      {{ DiscussionBoard.errors[3812668].message }}
  • Profile picture of the author ProEFI
    Thanks. It is only my sites. I just had a friend in the US check my sites and she saw the same redirect page.
    {{ DiscussionBoard.errors[3812662].message }}
  • {{ DiscussionBoard.errors[3812740].message }}
  • Profile picture of the author ProEFI
    My domains definitely did NOT expire. They were all purchased at various times, with the latest being 3 days ago. I've been online for 3 years and know my way around domains/hosting.
    {{ DiscussionBoard.errors[3812797].message }}
  • Profile picture of the author profitsforall
    Are you hosting with hostgator by any chance?

    I had this page showing for my domain. I had put the wrong nameserver information on my domain so it was pointing to the server of my other hostgator account and because this server knew nothing about the domain the searchdiscovered page came up as default.

    So - i suspect it's either an issue on your server, where it's lost your mapping for all of you domain names, or something has updated all your domain name server information (Which is probably unlikely).

    Contact hostgator support.
    {{ DiscussionBoard.errors[3812841].message }}
  • Profile picture of the author ProEFI
    I did some research on searcheddiscovery.com and found this:

    "A search engine redirect virus is a form of malware that changes DNS entries and HOSTS files and redirects search engine searches to malicious pages for the intention of spamming anyone. The virus can affect all major search engines and cause that secret data will be sent out via a background connection."

    I released/renewed my ip address and now I have access to my sites again. However, the bad news is that I still cannot locate the malware so the problem may resurface until it eliminate it.

    The good news is that my account has not been hacked.
    {{ DiscussionBoard.errors[3814454].message }}
    • Originally Posted by ProEFI View Post

      I did some research on searcheddiscovery.com and found this:

      "A search engine redirect virus is a form of malware that changes DNS entries and HOSTS files and redirects search engine searches to malicious pages for the intention of spamming anyone. The virus can affect all major search engines and cause that secret data will be sent out via a background connection."
      Sounds to me like it's on your computer if it's changing your Hosts file. Try running Spybot - Search and Destroy and see if it comes up with anything.
      {{ DiscussionBoard.errors[3875997].message }}
    • Profile picture of the author tpw
      Originally Posted by ProEFI View Post

      I did some research on searcheddiscovery.com and found this:

      "A search engine redirect virus is a form of malware that changes DNS entries and HOSTS files and redirects search engine searches to malicious pages for the intention of spamming anyone. The virus can affect all major search engines and cause that secret data will be sent out via a background connection."

      I released/renewed my ip address and now I have access to my sites again. However, the bad news is that I still cannot locate the malware so the problem may resurface until it eliminate it.

      The good news is that my account has not been hacked.

      LOL

      I am just reposting what you said, since many people are still just answering your initial query instead of reading the page. :p
      Signature
      Bill Platt, Oklahoma USA, PlattPublishing.com
      Publish Coloring Books for Profit (WSOTD 7-30-2015)
      {{ DiscussionBoard.errors[4706683].message }}
  • Profile picture of the author mllnsgrl
    Andrew,

    A similar thing happened to me, but from a downloaded theme. I called godaddy and they walked me thru the delete and restore from a previous date. Then I changed my password. All is fine now.

    It's a huge pain, but the automatic restore makes it easier.

    Best of luck with that!

    Liz
    Signature



    {{ DiscussionBoard.errors[3875229].message }}
  • Profile picture of the author celente
    either 2 things

    1) Hacked which is a real bummer.

    2) you have an expired domain on your hand.
    {{ DiscussionBoard.errors[3875399].message }}
  • Profile picture of the author WholesalerJoe
    Been there done that!
    Is correct fix
    released/renewed my ip address
    Then scrub your work station and or reformat to be safe!
    Signature
    We Wholesale Jewelry Clothes and Many Other Closeouts NEW DAILY DEALS!
    {{ DiscussionBoard.errors[3876026].message }}
    • Profile picture of the author richieh
      I, too, tried to log into one of my wordpress blogs to find the dreaded searchdiscovered.com flash page. After spending a whole day trying to figure this out including buying the Stopzilla malware program (which appears to find stuff that Malware Bytes does not), I go the following reply from my Hostgator support ticket:

      Hello,

      The searchdiscovered.com website is our default parked page for unknown domains, but I am not seeing a problem with your site at the moment. It looks like some changes were made to your DNS entries which may have caused this problem, however it looks like the issue is now resolved. Make sure to clear your browser's cache if you are still seeing the other site.

      Please let us know if you come across any other issues.

      Sincerely,

      Jon S.
      Linux Security Administrator
      HostGator.com LLC
      HostGator.com Support Portal

      Now I think that is wierd.

      My website is OK but I don't know if installing Stopzilla on my PC did it or if something funny happened at Hostgator.

      Richieh
      {{ DiscussionBoard.errors[4006563].message }}
  • Profile picture of the author kentwebhost
    Dodgy themes in Word Press, Joomla etc contain exploits that have similar behaviour to what your suggesting. I dont know for sure, and unfortunatly I'm not sure (other than changing your theme) how to 'fix' them.
    Sorry cant be more specific, but just shining light down another avenue for you!
    Signature

    Joomla saves me time

    {{ DiscussionBoard.errors[4006579].message }}
  • Profile picture of the author ghostrecon
    Definitely an exploit in one of your themes, revert it back to the default and try to take a look at the themes header.php and footer.php for any malicious redirects.
    Signature

    PinPioneer.com - Proprietary Pinterest Marketing Software
    1000 Pins Uploaded PER Hour
    Use code: WFPioneer
    {{ DiscussionBoard.errors[4006585].message }}
  • Profile picture of the author kentwebhost
    know its a bit late now...but I always take a copy of the final edited theme (virus free) as a backup, better than trawling through all those CSS changes you've made
    Signature

    Joomla saves me time

    {{ DiscussionBoard.errors[4006605].message }}
  • Profile picture of the author Janet Sawyer
    Here is something that is really useful if you suspect your Wordpress theme.
    WordPress › TAC (Theme Authenticity Checker) « WordPress Plugins
    It works for me.
    {{ DiscussionBoard.errors[4006636].message }}
    • Profile picture of the author pahalik
      I registered a new domain at one registrar and then bought new hosting from hostgator. As in both being less than one week old. Nothing is installed. Nothing. No themes, no Joomla, no Wordpress, etc..

      Yesterday I began seeing the searchdiscovered.com pages. Obviously it has nothing to do with expired domains. Obviously it has nothing to do with themes.

      It is something in the dns settings.
      {{ DiscussionBoard.errors[4369929].message }}
  • Profile picture of the author Pixel Minisite
    what registrar are you using?
    Signature
    Minisite Designs as low as $17
    http://www.pixelminisite.com
    {{ DiscussionBoard.errors[4369960].message }}
  • Profile picture of the author profit2day
    This happened to me as well with my sites being hacked and redirected. I contacted the host, they took care of it, but the sites were never the same. 404 errors are all over the pages and posts when clicked, but everything is in tact in the admin area. I have been moving sites to another host since I am not happy with the service and how the sites were affected.
    {{ DiscussionBoard.errors[4370432].message }}
  • {{ DiscussionBoard.errors[4370460].message }}
  • Profile picture of the author derricks4
    People.. It's not the domains being expired.
    I had this before.

    To fix follow:
    •Change all passwords (admin, ftp, hosting panel, etc.)
    •Log onto ftp for each site/domain
    •Look for any weird files that don't belong
    •Open .htacess file
    •Highlight all text within file, and you will probably see some hidden text that looks funky/you didnt' write
    •Delete funky text, and re-upload file

    This should fix it. Be sure to backup all of your files before doing it, though.
    Signature
    EXPLODE Your Sales! The PREMIER Copywriting Service on WF<PM ME!
    ^^GUARANTEED 100% to INCREASE YOUR PROFIT ^^
    {{ DiscussionBoard.errors[4370486].message }}
    • Profile picture of the author dsouravs
      Someone got access to Ur FTP and have put that malware code in your sites.
      Search 4 that piece of that code in index.php if UR using WordPress.....If not found on index.php search all pages.....U possess a risk of getting stopped by Google as a malware site...so hurry..

      after Ur sites OK..change all password immediately....
      Signature

      I can convert your Non-Responsive website to Responsive website ... How sweet is that? :)

      {{ DiscussionBoard.errors[4370511].message }}
      • Profile picture of the author John Romaine
        Originally Posted by dsouravs View Post

        Someone got access to Ur FTP and have put that malware code in your sites.
        Search 4 that piece of that code in index.php if UR using WordPress.....If not found on index.php search all pages.....U possess a risk of getting stopped by Google as a malware site...so hurry..

        after Ur sites OK..change all password immediately....
        No they didnt.

        This exploit can be caused by simply using Adobe reader on an infected site. Then as you visit each of your sites, they become infected too.

        Its likely the cause is his own workstation, in which he'll have to do some investigative work.
        Signature

        BS free SEO services, training and advice - SEO Point

        {{ DiscussionBoard.errors[4370535].message }}
        • Profile picture of the author dsouravs
          Originally Posted by ramone_johnny View Post

          No they didnt.

          This exploit can be caused by simply using Adobe reader on an infected site. Then as you visit each of your sites, they become infected too.

          Its likely the cause is his own workstation, in which he'll have to do some investigative work.
          But the sites have got infected... Don't we need 2 clean them up.
          Signature

          I can convert your Non-Responsive website to Responsive website ... How sweet is that? :)

          {{ DiscussionBoard.errors[4370555].message }}
          • Profile picture of the author John Romaine
            Originally Posted by dsouravs View Post

            But the sites have got infected... Don't we need 2 clean them up.
            Yes. Which is why I wrote above...."Overwrite all the infected files with clean copies"

            But thats pointless if his workstation itself is causing the problem. The sites will just become infected again when he brings them up within his browser.
            Signature

            BS free SEO services, training and advice - SEO Point

            {{ DiscussionBoard.errors[4370609].message }}
  • Profile picture of the author John Romaine
    I guess youre using Wordpress yes?

    If so, it looks like you have whats called an "iframe injection attack"

    Overwrite all the infected files with clean copies, then change your passwords, and run updates/patches on your Wordpress installs.

    Got nothing to do with expired domains.

    http://www.guardian.co.uk/technology...ecurity.google
    Signature

    BS free SEO services, training and advice - SEO Point

    {{ DiscussionBoard.errors[4370505].message }}
  • Profile picture of the author Rudder
    I had problems like these in the past when I used hostgator. My site was running perfectly for a week; then everything went haywire. hostgator support was not very helpful so I found another host service.
    {{ DiscussionBoard.errors[4370507].message }}
  • Profile picture of the author HorseStall
    Any possibility your htaccess was hacked?
    {{ DiscussionBoard.errors[4371747].message }}
  • Profile picture of the author wallyw
    I think the problem is with files on your websites. Someone has hacked them and added the redirect script on index and/or login files or in your .htaccess file.

    Change all your passwords and check those files to see if they've been changed. Keep copies of your website files on your computer so you can do a restore if you get hacked. You can also ask you host to restore your domains from their backups if they keep any.

    I use qwk.net for my host and they have saved my butt on more than a couple occasions.
    {{ DiscussionBoard.errors[4471164].message }}
  • Profile picture of the author woodymcgrath
    It is an exploit in one of your themes/plugins.

    Remove all iframe scripts, remove excess code in htaccess and take a look at Google Webmaster tools to see if they're reporting any suggestions.
    Signature
    Make an easy *$45* commission per sale... Promote a $67 product with 22% conversions!

    BIG $$$ with TedsWoodworking.com - *16,000* Woodworking Plans - Click For Affiliate Tools

    Other products: Ideas4Landscaping Landscaping Ideas - Landscaping Design
    {{ DiscussionBoard.errors[4471282].message }}
  • Profile picture of the author kaivearn
    I should shed some light into this as it has just happened to me. I changed my DNS to hostgator from my registrar (ziphosting.com.au) and this happened to me. Do note that if it was searchdiscovered it is HOSTGATOR'S OWN LANDING PAGE.
    From my chatlog with the hostgator representative:
    (02:59:47 AM) Alan Co: I'm checking into this and it looks like that searchdiscovered.com site is a landing page for our registrar, so it would show that sometimes until the domain has had time to propagate. Now that it's propagated, you won't have to worry about it.

    It is as user Richieh says. However, if it is searchdiscovery, that could be a problem.
    {{ DiscussionBoard.errors[4706489].message }}
  • Profile picture of the author harrietfredge
    If you are not able to visit those websites without being diverted to another website you likely have spyware / adware on your computer. Get a spyware removal program to clean your computer.
    Signature
    {{ DiscussionBoard.errors[4706503].message }}

Trending Topics