Website Hijacked?!?!?! How is this even possible?

20 replies
  • SEO
  • |
I have a client who we built a website for a couple months back. A couple weeks ago she emailed me a "phishing notification" that she was sent, but when I reviewed the email, the links were invalid, nobody answered at the number provided and my designer and I went through the website code and found no trace of anything that wasn't supposed to be there. So I disregarded it.

Today, my client called me and said that one of her venders contacted her and said that when she tried going to her website through Google she was directed to an adfly website. So I checked, and sure enough, when you Google her website (same result for Yahoo) and click on the link it forwards you to this an adfly site: AdF.ly - shrink your URLs and get paid!

How is this even possible? When I type in the website manually in the browser I still go directly to the website. What is going on?

I contacted the host, host says try refreshing DNS/Nameservers. Which I did, but still not helping.

I am really stumped here. My programmer is stumped. There is nothing wrong with the website code, client even shows up on the first page for her kw's. But when you click on her listing it now redirects to that adfly site.

Has anyone had experience with this? How can I fix this?
#hijacked #website
  • Profile picture of the author Matt Lee
    Anyone? Advice? :confused:
    Signature
    "One of the Most Successful Offline WSO's Ever!
    Get More High $$$ Clients with this Small Business Marketing PLR Magazine
    {{ DiscussionBoard.errors[6343274].message }}
  • Profile picture of the author CyberAlien
    Check the htaccess file and make sure there isn't any code redirecting Google referrals to adfly.

    Also, download all the files and do a mass search on all of them with notepad++ for the term: adfly.com
    {{ DiscussionBoard.errors[6343287].message }}
    • Profile picture of the author Matt Lee
      Originally Posted by Chase Watts View Post

      Check the htaccess file and make sure there isn't any code redirecting Google referrals to adfly.

      Also, download all the files and do a mass search on all of them with notepad++ for the term: adfly.com
      Done & Done. I combed through the website, my programmer combed through the website, and even the hosting tech support guy searched through the code for about a half hour. Everyone I talked to was very eager to help, but nothing has been effective.

      I guess I could take a look at the site offline and look again. You're right, I'd rather be absolutely sure. But even the hosting tech said that there is nothing that is redirecting. PLUS it only happens to people coming through Google/Yahoo/Bing If you go directly to the domain, it works fine.
      Signature
      "One of the Most Successful Offline WSO's Ever!
      Get More High $$$ Clients with this Small Business Marketing PLR Magazine
      {{ DiscussionBoard.errors[6343333].message }}
  • Profile picture of the author CyberAlien
    When you view it through Google cache is it showing your website or the adfly site?
    {{ DiscussionBoard.errors[6343358].message }}
    • Profile picture of the author Matt Lee
      Originally Posted by Chase Watts View Post

      When you view it through Google cache is it showing your website or the adfly site?
      I'm not sure I know what you mean... When I search for my client using the search, when I click on the link in the search result, I am redirected to adfly.

      When I go directly to the browser and type in the domain, I am taken directly to the site as normal. I know... This is crazy. I even managed to find a number to Google Support, but needless to say every extension I tried I ended up on hold indefinitely.
      Signature
      "One of the Most Successful Offline WSO's Ever!
      Get More High $$$ Clients with this Small Business Marketing PLR Magazine
      {{ DiscussionBoard.errors[6343373].message }}
  • Profile picture of the author tech84
    Check the htacess, if you are using wordpress, it could be from the theme. This has happened to me before from a downloaded theme. (hidden links that show up only if it google that's visiting your site) usually I found mine on the functions.php file.

    You might wanna search for a code that something similar to this:

    <?PHP if(stripos($_SERVER['HTTP_USER_AGENT'], "google") === false) { ?>

    // this is seen by the regular users

    <?PHP } else { ?>

    // this is seen only by google spider

    <?PHP } ?>
    {{ DiscussionBoard.errors[6343537].message }}
  • Profile picture of the author SuzanneH
    The host and programmer are wrong. In addition to what everyone else is saying, check for obfuscated code.

    If your client has money, I've heard good things about these guys: Malware Removal

    Suzanne
    {{ DiscussionBoard.errors[6343564].message }}
    • Profile picture of the author RobinInTexas
      Originally Posted by SuzanneH View Post

      The host and programmer are wrong. In addition to what everyone else is saying, check for obfuscated code.

      If your client has money, I've heard good things about these guys: Malware Removal

      Suzanne
      If you don't go the route Suzanne suggested,

      1. Try using firefox with the httpfox plugin to see what's going on (where the switcharoo is coming from.
      2. Look carefully at your settings at your registrar.
      3. switch to different nameservers
      4. clone the account or recreate a mini clone from scratch at a different webhost like hostgator (or a new hostgator account if it's already there) as a possible temporary or permanent fix
      Signature

      Robin



      ...Even if you're on the right track, you'll get run over if you just set there.
      {{ DiscussionBoard.errors[6395147].message }}
  • Profile picture of the author SuzanneH
    For the obfuscated code, look for something like: eval(base64_decode( and then a ton of characters.

    Here's a link that explains what's happening: Google says my site is redirecting to a malicious site, but it seems to work fine? Conditional hacks

    Suzanne
    {{ DiscussionBoard.errors[6343584].message }}
  • Profile picture of the author traveltext
    Of course you can always restore the site from your backup.
    {{ DiscussionBoard.errors[6343716].message }}
  • Profile picture of the author Matt Lee
    Thanks for your input, it's appreciated. I will definitely take a closer look. I just don't understand how it got there in the first place. It's not a theme, the site IS wordpress but built from scratch. But then again I didn't code it, so there could be snipets of code from other sites.
    Signature
    "One of the Most Successful Offline WSO's Ever!
    Get More High $$$ Clients with this Small Business Marketing PLR Magazine
    {{ DiscussionBoard.errors[6344732].message }}
  • Profile picture of the author danb12
    View your website thu a text viewer.

    A hacker can put a meta refresh at the top of your high traffic site without you even knowing.. earn from the ads, then redirect the user back to your site.

    fix it quick, it could damage your SEO bad.

    Your local browser will save the history, so you may not get redirected to the ad site if you go straight to it via firefox etc...
    Signature
    UK Coupon Website PR1 making £300+ per month - QUICK SALE - CHEAP SALE - CONTACT ME
    {{ DiscussionBoard.errors[6345479].message }}
  • Profile picture of the author daddykool
    There are a flurry of WP hacks going round at the mo, mostly from 2 14 year olds!

    Try to recompile the code/WP folders onto a new kernel on a different host to see if it is the same, check the kernel version on the shared hosting where it is now, also NEVER EVER use a default WP setup out the box, regardless of time, ALWAYS use a massive 16+ character login for admin and password, then shorten it for the actual user name that posts.

    Make sure that there is a blank index.php file in every folder.
    Signature
    LAUNCHING VERY SOON > PRE-REGISTER NOW FOR A WSO THAT EVERY WARRIOR NEW & OLD CAN MAKE $$$ FROM! LIMITED PRE-LAUNCH SPACES - PM or email: JVSuperstars@gmx.com TO RESERVE A PLACE & LOCK IN A SUPER LOW LIFETIME PRICE! *** NEVER TO BE REPEATED PRICE ONLY AVAILABLE ON THE WARRIOR FORUM & OUR VERIFIED JV AFFILIATE PROVIDERS! ***
    {{ DiscussionBoard.errors[6345523].message }}
  • Profile picture of the author Matt Lee
    So should I pull the site down until this gets sorted out? I know that can have some serious repercussions, but so can leaving it up. Man, this is a pain! Thanks everyone for your suggestions.
    Signature
    "One of the Most Successful Offline WSO's Ever!
    Get More High $$$ Clients with this Small Business Marketing PLR Magazine
    {{ DiscussionBoard.errors[6346505].message }}
  • Profile picture of the author yukon
    Banned
    OP, why the heck did you post that live link here?

    All that guy has do is check his stats. & find your forum post, the link, & everything you plan on doing to fix the problem.
    {{ DiscussionBoard.errors[6395166].message }}
  • Profile picture of the author JohnnyDeez
    I second the option of restoring the site from backup if you absolutely cannot resolve this. You should be able to pick a date far enough back that the problem get's erased.

    Then you need to figure out where the hole was.

    If you're on WordPress, you can also replace the core files (have your programmer do this). Lastly, if you need an A++ programmer to figure it out, look for someone on Odesk in the $80 - $100 per hour range who has experience with this. $200 bucks should fix the problem that way. Good luck! I've had clients get hacked before, NO FUN!
    Signature

    Software Development Tips for Internet Entrepreneurs: What The Dev

    {{ DiscussionBoard.errors[6400714].message }}
  • Profile picture of the author modrewrite
    I tried to PM you but I am too new on this forum and was not able to send private messages yet.

    Are you still having problems with this? I recently dealt with this exact same problem and would be happy to help
    {{ DiscussionBoard.errors[6431589].message }}
  • Profile picture of the author Dentist
    I am not in your case that is a malware or not. We had an authority website with malware that drove us crazy. We checked everything and none of them worked. Long story short after several months of losing business due to our blog pages re-directing to other pages and getting band by webmaster tools twice, we got the premium service of Sucuri and they removed it. Although they did a great job in removing the malware and even with after malware removal instruction we still get malware once in a while, nevertheless because of their automatic checking service, we get the malware removed before it hurts the rankings, etc. by them.
    It seems the problem is with our hosting and it kind of gets back every once in a while but so far we have managed to do damage control that way...
    I know how frustrating that could be so I hope this helps...
    {{ DiscussionBoard.errors[6432279].message }}
    • Profile picture of the author RobinInTexas
      Originally Posted by Dentist View Post

      It seems the problem is with our hosting and it kind of gets back every once in a while but so far we have managed to do damage control that way...
      ...
      Nearly any site can be relocated to a new host in 20 minutes (for wordpress), or a couple of hours at worst for other sites.
      Signature

      Robin



      ...Even if you're on the right track, you'll get run over if you just set there.
      {{ DiscussionBoard.errors[6459082].message }}

Trending Topics