Comments on: The website hack you’d never find

By: John Burns

John Burns — Wed, 11 May 2011 20:25:02 +0000

Hi, I am pretty sure I have this same hack. It is very tricky. I think it is on 3 of my websites. I clicked my link through google and was forwarded to an affiliate site for a competing company selling a similar product that I sell. I am willing to pay John Mu to do the research for me and find out. Everyone in my organization thinks I’m crazy and that it’s spyware on my computer. However, my buddy with a apple computer also searched on google and clicked through my link on google and ended up on the same redirected site, and he was using a Mac, I am on PC.

It doesn’t do it all the time, only some times. And it’s not currently doing it right now, but I have seen it happen on multiple occasions. Please contact me I am willing to hire you John Mu to take a look and try to help me prove my organization wrong. They are telling me that it is spyware on my PC(which it could be) but I am almost certain that the website is hacked. Please contact me.

By: Gray

Gray — Sun, 22 Mar 2009 21:51:31 +0000

Update: I recreated the redirect by browsing through a proxy. I notified my hosting company… sent them the transcript on this page for them to read, and told them to inspect the http.conf file and to look for rewrites. They emailed me back after an hour informing me that they had found the malicious code and removed it, also put measures in to stop it happening again. They were pretty shocked and surprised to say the least. So thankyou for taking the time and effort to post here what happened to you, allowing us to benefit from your experience.

By: Gray

Gray — Sun, 22 Mar 2009 12:16:11 +0000

I have a similar problem, noticed whenever I search google for my site form another computer I get this redirect to a lvhook.biz with an alert from avg about a trojan. Only once, then subsequent searches goes straight to my site. Is this code hidden on my page somewhere? I reported the problem to my host, but they could find no problem on the server. I’d already worked out it was the google referer that triggered this, and searching found this page. Great work by the way.

By: Hackers stealing your PageRank » johnmu.com

Hackers stealing your PageRank » johnmu.com — Sun, 07 Dec 2008 23:44:58 +0000

[...] last time I wrote about a hacked site, it was using a redirect that sent some users to a different site. This kind of hack is pretty [...]

By: Ben LaGrone

Ben LaGrone — Sat, 04 Oct 2008 23:27:07 +0000

I found that some of the sites like this often deploy a cookie the first time you visit, then change it on a later visit. The contents of the cookie determine where they will redirect you.

My impression was that their intent was to get their money by redirecting click traffic, and then using the virus page to scare away curious return snoopers.

I also found the Microsoft Spam Double Funnel paper to be useful information http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=1269.

By: Rob Chansky

Rob Chansky — Tue, 30 Sep 2008 22:36:57 +0000

Oh crap. I’ve been hacked by this.

I was redirected to this page by a buddy of mine when I mentioned the problem I was having. A few months ago my site stats reported a 90% drop in hits which have all turned into 302 temporary redirect messages.

What can I do to get rid of this??

By: Ben LaGrone

Ben LaGrone — Mon, 28 Apr 2008 17:23:57 +0000

John,

BTW I’ve found Fiddler very useful, but have hit a brick wall.

By: Ben LaGrone

Ben LaGrone — Mon, 28 Apr 2008 17:22:21 +0000

Hi John,

I’m trying to solve a similar mystery. Can I PM you the URL and see if you have any ideas. I’m trying to trace a cloaked redirect…

By: Tristan

Tristan — Sat, 01 Mar 2008 04:01:44 +0000

Great project!! You should be on google payrole!

John: “That could be a security issue in Firefox” :- given this would you recommend staying with Internet Explorer / Other for security reasons? I was considering Firefox due to repeated “IE not responding”.

Do you think the antivirus advert (hidden hack redirect) was a joke or a moneyspinner or both?

BTW FYI I found this page after visiting http://groups.google.com/group/Google_Webmaster_Help-Requests/browse_thread/thread/3238914c52ff7b18/3f4de587650273fc

After an AVG activex thing popped up in ie7 while visiting a christianity page. I clicked no. Did that mean the page was triggering AVG or a virus pretending to? I ran AVG afterwards and it found a “virus identified exploit.ANI” in my temp. Did I prevent the virus spreading out of temp by clicking NO on the ActiveX request or prevent AVG catching it? What use is the thing in temp anyway?

Just curious (re:spam protection on this page).. Sum of 7 + 4.. can see how me typing in 11 would partially suggest I was a human; but as 11 is allready show in the field does this mean SHOWING question is redundant? My guess is prob’ no, but I’m so curious

Brilliant work btw.. Tris.

By: mrg

mrg — Tue, 04 Sep 2007 17:51:21 +0000

Adding a little… You don’t need to use a proxy if you are on windows. Back when we looked at the other hacked site with this same exploit all I had to do was to repair the connection to get a new IP address. And every time after that, when checking LiveHTTPHeaders it triggered the 302.

By: » Show heute fällt leider aus | seoFM - der erste deutsche PodCast für SEOs und Online-Marketer

Tue, 28 Aug 2007 14:32:37 +0000

[...] Der wohl sneaky-ste Website Hack bislang [...]

By: Richard Hearne

Richard Hearne — Sun, 26 Aug 2007 10:33:58 +0000

Indeed rather scary stuff. Possibly one of the nastier exploits I’ve heard of recently.

I think tracking down the aff codes might help – removing some of the financial gain would be a start. I’m sure the installed payload is also just as nasty given the lengths the hackers have gone to…

By: John Mueller

John Mueller — Fri, 24 Aug 2007 11:01:48 +0000

Good, then it’s not that bad *big sigh of relief*

By: Patrick Altoft

Patrick Altoft — Fri, 24 Aug 2007 11:00:04 +0000

I do use FF. It does just show the persons name at the top of the page.

By: John Mueller

John Mueller — Fri, 24 Aug 2007 10:57:42 +0000

I tried Netvibes – you don’t get redirected, but you see a part of the content here on their page (at least that’s what I see). I see the name of the person from the original posting on the netvibes page and then this blog entry opens up in a separate window. Maybe I was a bit too sneaky for my own good, I hid that name from indexing by using javascript to display it (so that this page doesn’t rank for his name). Apparently that javascript snippet is executed on the old page, before the redirect to the new window takes place. That could be a security issue in Firefox… (did you use Firefox as well?)