How are sites hijacked

Phoenix of Hamble

Phoenix of Hamble

Well-Known Member
Joined
28 Aug 2003
Messages
20,966
Location
East Coast
mishapsandmemories.blogspot.com
A thread in response to MOA Webmaster, Neil, and his request...

Neil, firstly, a magnanimous response.... and all put to right in my eyes.

Secondly... its unlikely that Yahoo, Google etc have been compromised in any way.... much more likely that the .org.uk/.org site (can't remember which one it was!) has been compromised, and with clever construction of the site, along with a good understanding of how Search Engines 'rank' sites, known colloquially as Search Engine Optimisation, that it has very rapidly risen to the number one spot.... this can happen surprisingly quickly, through targetted site construction, plus extensive use of techniques such as spamming links onto other sites.....

Hope that helps....
 
Not even overnight it has changed in the last 5 minutes. I checked the google link when I saw the thread as I had used the site from home using a shortcut last night with no problems. My first attempt via google this morning incurred the wrath of the corporate imntternet plods, but the second some 5 minutes later didn't.

Thus my supposition that some one is monkeying about with the google search completely independant of the MOA admin.
 
Google takes me to the .org site, it still has a nasty on it referring to a trojan present - click here on Windows Security Centre to resolve. Don't do it!
 
Hi all

Thanks for all your thoughts, I am very grateful, please let me explain

The way the .org.uk site works is like this:

There is a default.htm type file in the root of the site which is otherwise basically empty and only a holding site.

This file has a "behaviour" applied which automatically applies the command "Go to URL" which is the .net site

It has been up for a couple of years and I still get about 200 referrals per week from old to new so am reluctant to take it down. Maybe I should wipe the lot and allow a 404 error to defeat the robots? Certainly robots.txt wont work as an exclusion, they are much too clever for that...

I think I need to spend a bit more time on structure and less on content - which is much dearer to my heart! I should really put up the Google webmaster tools on the net site to achieve a better referal rate from searches.

It is all time though......

Kindest

Neil

I still think its a Yahoo / Google problem
 
I had a prob with www.corwen.co.uk which i host thru fasthosts, some dirty [--word removed--] managed to get to the root and do the same thing on the fasthosts server, they coulnt figure out how they got there but a change of password on the account and the ftp login stopped it, i suspect a brute force password guesser had got them in and then they put a forwarder on
Stu
 
You probably get the referrals because the org site exists and comes up first. If it was scrapped then people would just use the net site. It doesn't matter if it is not first listed - people are looking for info not to buy anything.

I know nuffink really.
 
[ QUOTE ]
Neil,

You should be able to get this domain to point at the .net site at a Registry level, ie by managing the DNS record, rather than run an HTML redirect command.... less hassle, and then no site security issues to worry about either....


[/ QUOTE ] Best, most search engine friendly way is to use an .htaccess file in the web root with a 301 redirect

Open a blank file in your favourite text editor and enter:

Options +FollowSymLinks
RewriteEngine on
RewriteRule (.*) http://www.newdomain.com/$1 [R=301,L]

(REPLACE www.newdomain.com in the above code with your actual domain name)

Save the file as .htaccess (no file extension) and upload to the web root (where you would put default.html or index.html file)

Using META redirects can be penalised by Google.

As to how the site got infected - either the web server has been compromised or the owner of the domain has had his FTP password stolen by a trojan - I doubt if anything very mysterious is happening.

You should change your FTP password regularly and keep it in an encrypted database or file. If you use an FTP client that does not encrypt passwords (eg Filezilla) then the safest thing to do is to run it off a memory stick or other removable media and only have it connected when you need it.

As for the spoof antivirus product that this site invited you to download - it is a very difficult to remove virus, and if you do get it the only removal tool I have found effective is Malbytes AntiMalware. (Google and download if you think you might be infected).

- W
 
[ QUOTE ]
i suspect a brute force password guesser had got them in

[/ QUOTE ]
Unlikely if you created a strong password. More likely the web server has been compromised. I had a similar issue recently with one of the hosting platforms we use and was assured it was my security that was the problem. I knew it wasn't . Nonetheless I changed the passwords on about 40 sites and traced and cleaned all tampered files (15 hours work) - then had the webhost confess that it was system-wide on that platform. A new security update has now been applied, but what a waste of time!

Strong passwords should be eight characters minimum, should not be dictionary words and should contain a mixture of upper and lower case letters (if on a Unix server) plus numbers and non-alphanumeric characters (eg %, $ etc). If you follow these rules a 'brute force' cracking attempt is not going to produce any results.

- W
 
It had passed thru my mind, however, have you ever dealt with fasthosts? the call centre is staffed with geeks who think customers are a bit of [--word removed--] and are as thick as, IMHO of course, they are the most humourless peeps I have ever had the misfortune to deal with and am convinced that they go on a course to de humanize them before being let loose on us! So the very thought of admitting they may be wrong!!! naaaah!!
Must say it was very funny when they did get publicly breached a few years ago and they had to fess up, bet it really hurt them to do it! Was having some probs with them back in the 90s and went to check their limited co figures, they had over a million in the bank! Arrogant doesnt begin to describe them IMHO of course. However in those days they were the only kids on the block and the thought of transferring all my domains now fills me with horror so i put up with them.
Stu
 
You don't need to have malware on either computer to be compromised.

When you FTP, the password is sent openly (unencrypted) with the rest of the information. The password, along with the other information, goes through several computers (try traceroute) on its way from your computer to the server. It is simple enough for someone at any of those nodes to sniff and aquire passwords.

There is (obviously) a black market for these accounts.
 
Velly interesting! But, almost totally incomprehensible. It is about time that computers and the internet got into the real world and became properly engineered. Let's stick to boats - at least they generally do the job intended!
 
Yes I saw that, pity they didnt offer some dosh to their existing client base, of course they now have some serious competition.
Stu
 
You must log in or register to reply here.

Share this page

Top