Wednesday, February 15, 2012

Malicious poisoned redirects in Google search results

This morning I did a Google search for "free psd web button". I clicked on the third result which links to http://www.sharkwebstyle.com/2011/07/80-prefect-free-photoshop-web-buttons-psd/.
However, upon clicking on this third result, I was automatically taken to Russian site http://uaroyalys.ru/industry/index.php, which is clearly not the correct location, and is apparently an attempt to redirect me to some sort of malicious site (I don't recommend you try to visit this site). Thankfully, I had ScriptNo for Chrome and NoScript for Firefox so, the site didn't do anything, and thankfully it wasn't able to reach its dirty tentacles into my machine (I hope).

I originally discovered the malicious redirect on a Windows machine, and I immediately assumed that the machine must somehow be infected. I switched over to a Mac machine and discovered the same malady, suggesting that the malicious redirect originates on the server side and not on my side.

What's unclear is if this is the fault of the target (SharkWebstyle perhaps infected with a XSS attack), or poisoned Google search results. What's frustrating is that most unsuspecting users are doing these types of web searches all the time and clicking on tons of links. Most are using Internet Explorer or another browser with scripting (JavaScript) fully enabled. Since most infections are launched via some sort of scripting on web sites, it is recommended to use an add-on (such as ScriptNo for Chrome or NoScript for Firefox) that only allows scripting in your web browser for sites that you explicitly allow. It makes me sick to my stomach to think of a friend or family member getting infected with some type of malware served up by Google's own search results. Be safe, folks!

UPDATE (2/15/12): It appears that this was most likely the result of a compromised instance of WordPress (most likely through a maliciously modified .htaccess file). Older versions of WordPress can be susceptible to attacks. If you self-host your WordPress site, you need to make sure you update to the latest version, change passwords for your web host account, FTP, and MySQL database. Check this link if you think you might be compromised. You can also check your site to see if it is infected with any known malicious code at Sucuri SiteCheck.

UPDATE (3/3/12): I received a note from the site administrators at Sharkwebstyle that said, "We encountered a problem with a vulnerability in timthumb script used in our WordPress theme, and that vulnerability can change the .htaccess file content, so that's why there was a redirection to other website." Here are some technical details about the Timthumb Wordpress vulnerability and hack.

8 comments:

  1. I've been troubleshooting a couple of these this morning (2/15/12), and it is server side. An injected bit of code into the server's .htaccess, it would seem.

    ReplyDelete
  2. I have the same problem with my website and i don't know what to do? www.super8monamour.com :-(

    but when i use http://super8monamour.com, it works !

    F****** S***

    Guillaume from France

    ReplyDelete
  3. thatedeguy, were you able to figure out the source of the problem and how to fix it?

    ReplyDelete
  4. Hi Brian, my wordpress website gets redirected to this russian site. I can't even Google my own site anymore because it shows up as this malicious site. Please help!

    ReplyDelete
  5. I call my "hosting society". The problem is that my .htaccess file was modified. So, i have to delete the code or replace by the right code. When Google'robots will index my website again, it will probably works...

    Guillaume from France

    ReplyDelete
  6. I just experienced this nightmare myself. In my instance it was related to a TimThumb (thumb.php) vulnerability in which the vandal was able to insert php code into the appearance editor by stashing files in the cache (on the theme root). I deleted all cache files, backed up my theme files to my desktop, deleted my theme from the server and reinstalled a new theme zipfile from within WP. So far, so good...(by the way, I had multiple websites in my domain hosting and it nailed all of them...so I had to repeat this process until everything was clean)

    ReplyDelete
  7. when a klick on my club's homesite i am redirected to a russian site (supa2012).I'm using linux ubuntu and on my other pc with W7 the problem is the same.What shall I do?I'm no familiar with computers.Thank in advance.Anette

    ReplyDelete
  8. Anonymous/Anette, sounds like whoever runs your club's web site needs to dig a little deeper to remove the infection/malicious redirect.

    ReplyDelete