Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


xpd



Chief Trash Bandit
9138 posts

Uber Geek
+1 received by user: 1436

Mod Emeritus
Trusted
Lifetime subscriber

Topic # 94131 6-Dec-2011 21:10
Send private message

My website recently got "infected" with some dodgy code from a theme or plugin I installed (Wordpress), which was causing some users to be redirected to dodgy .ru sites. However I could browse all my site without issue and could not locate any dodgy code.

In the end I blew it all away and started afresh. Even recreated the database from scratch.

All seemed well until about an hour ago when my wife tried to visit my site via a link I posted on Facebook, and she started getting the Google/Firefox malicious website warning - but the URL showing was not mine. She typed in my website directly into the address bar and got the same message.

I used CCleaner to flush out any crap temp files etc and ran a full virus scan - now she can goto my site directly but using links, she gets the warnings again.

A friend on Twitter tried for me also on his Mac - Firefox gave the warning page. Safari on his Mac and iPad did not have any issues.

Yet this whole time Ive been browsing the site via direct connections and via links on Firefox with no problem.

Ive checked my DNS records etc and theyre all pointing to correct servers and hosts.

I cant work out why some peoples browsers are reporting my site as malicious.... I could say its Facebooks linking thats the issue but my friend wasnt using their links......

Any ideas where to look ? Or should I just ignore it and hope it goes away over the next few days.....




XPD / Gavin / DemiseNZ

 

Server : i3-3240 @ 3.40GHz  16GB RAM  Win 10 Pro    Workstation : i5-xxxx @ x.xxGHz  16GB RAM  Win 10 pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, geeks, and more.    


Create new topic
4474 posts

Uber Geek
+1 received by user: 849

Trusted
Lifetime subscriber

  Reply # 554710 6-Dec-2011 21:44
Send private message

this is what i got from chrome. nothing came up if i open it with Opera (not directed anywhere)






2683 posts

Uber Geek
+1 received by user: 225

Trusted

  Reply # 554716 6-Dec-2011 21:47
Send private message

No problems on Safari on my iphone




Check out my LPFM Radio Station at www.thecheese.co.nz cool


 
 
 
 


2356 posts

Uber Geek
+1 received by user: 374

Trusted

  Reply # 554717 6-Dec-2011 21:49
Send private message

Something is still infecting it..

I went to the website 1st and it opened correctly..

The 2nd time (and random times) it redirects to: http://(removed).ru/earch/index.php (which doesn't exist)

Still looking ..




1801 posts

Uber Geek
+1 received by user: 451

Lifetime subscriber

  Reply # 554719 6-Dec-2011 21:56
Send private message

Google Safe Browsing says there was a problem where your site was an intermediary on 29/11/11 but not when last tested on 1/12/11.
http://www.google.com/safebrowsing/diagnostic?site=http://www.xpd.co.nz/

I checked your site with online virus scanners (urlvoid.com, vscan.urlvoid.com, virustotal.com, myWOT.com) No negatives.

Best Free Internet Safety Check provides reviews of similar free products.




Survival of the fittest • 68kg HP Color LaserJet behemoth • 38kg HP Color LaserJet giant • 82kg HP Netserver leviathan - Extinct 2015 • 61kg HP Netserver brontosaurus - Extinct 2010 • 32kg Compaq Proliant goliath - Extinct 2010 • 31kg 21" IBM CRT gargantua - Extinct 2010


597 posts

Ultimate Geek
+1 received by user: 98


  Reply # 554720 6-Dec-2011 22:01
Send private message

LennonNZ: Something is still infecting it..

I went to the website 1st and it opened correctly..

The 2nd time (and random times) it redirects to: http://(removed).ru/earch/index.php (which doesn't exist)

Still looking ..


Seeing this too. My first guess would be that it's being called from a .js file or infected plugin *somewhere* and the actual call is obfuscated.

Next step would be to analyse the site with Firebug. Disable ALL WP plugins and turn them back on one at a time until you find the culprit.

2356 posts

Uber Geek
+1 received by user: 374

Trusted

  Reply # 554724 6-Dec-2011 22:05
Send private message

It may be not affected now.. but yes it was..

as if you search on google for your domain.. it redirects you to the .ru site.. going directly it isn't so probably google has cached the incorrect data. go to www.google.com/webmaster and remove the incorrect stuff from their cache

1801 posts

Uber Geek
+1 received by user: 451

Lifetime subscriber

  Reply # 554728 6-Dec-2011 22:14
Send private message

Nice, I haven't seen DNS cache poisoning for a while. But at least you won't be rebuilding your site again.

Edit: I should have added I only got a problem after I Googled your site.




Survival of the fittest • 68kg HP Color LaserJet behemoth • 38kg HP Color LaserJet giant • 82kg HP Netserver leviathan - Extinct 2015 • 61kg HP Netserver brontosaurus - Extinct 2010 • 32kg Compaq Proliant goliath - Extinct 2010 • 31kg 21" IBM CRT gargantua - Extinct 2010


xpd



Chief Trash Bandit
9138 posts

Uber Geek
+1 received by user: 1436

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 554736 6-Dec-2011 22:35
Send private message

Thanks guys, will see how I go :)




XPD / Gavin / DemiseNZ

 

Server : i3-3240 @ 3.40GHz  16GB RAM  Win 10 Pro    Workstation : i5-xxxx @ x.xxGHz  16GB RAM  Win 10 pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, geeks, and more.    


299 posts

Ultimate Geek
+1 received by user: 1


  Reply # 554748 6-Dec-2011 22:51
Send private message

You can try these to scan for any issues that the site may have:

http://www.websitedefender.com/

http://www.unmaskparasites.com/

If you think it's clean then you can request a malware review via Google Webmaster Tools: https://www.google.com/support/webmasters/bin/answer.py?answer=168328


I've had similar problems with WordPress websites in the past and have managed to clean them up and get them reviewed by Google.  PM me if you need any further assistance as I'd be happy to help out.




Red Jet Web Services
- Affordable websites for small businesses
- Google Email setup and Migrations

272 posts

Ultimate Geek
+1 received by user: 13


  Reply # 554794 7-Dec-2011 06:02
Send private message

Checked on IE9 and ok.

xpd



Chief Trash Bandit
9138 posts

Uber Geek
+1 received by user: 1436

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 555426 8-Dec-2011 12:52
Send private message

Still getting the warning message at random..... bloody frustrating.

Edit : And jsut as I posted that, I think I found the culprit... will soon see :)
 




XPD / Gavin / DemiseNZ

 

Server : i3-3240 @ 3.40GHz  16GB RAM  Win 10 Pro    Workstation : i5-xxxx @ x.xxGHz  16GB RAM  Win 10 pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, geeks, and more.    


xpd



Chief Trash Bandit
9138 posts

Uber Geek
+1 received by user: 1436

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 556650 11-Dec-2011 17:14
Send private message

Oh FFS.... Chrome / Firefox are starting to show the same message again, yet Ive removed the offending link. (and this is after blowing away my entire site and starting again)

But when I visit Google Webmaster tools, it says my site isnt being reported for anything and last time Website Defender did find anything was on Wednesday (which is when I remove the offender) and nothing since... so WTF......

This is doing my head in..........




XPD / Gavin / DemiseNZ

 

Server : i3-3240 @ 3.40GHz  16GB RAM  Win 10 Pro    Workstation : i5-xxxx @ x.xxGHz  16GB RAM  Win 10 pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, geeks, and more.    


21607 posts

Uber Geek
+1 received by user: 4429

Trusted
Subscriber

  Reply # 556659 11-Dec-2011 18:15
Send private message

What do the headers show when it redirects?




Richard rich.ms

1801 posts

Uber Geek
+1 received by user: 451

Lifetime subscriber

  Reply # 556670 11-Dec-2011 18:47
Send private message

If it is DNS cache poisoning your DNS address has been spoofed in the DNS cache of a DNS resolver and/or the authoritative server for your domain name. There is usually nothing on your website to cause it or to show that it is happening.

On your site, what happened to me was that when I went to your URL directly I didn't have problem, but when I did a web search using Google then I was redirected. Once my system got incorrect DNS info from the poisoned cache then any further DNS queries to that site will be resolved from their system/browser DNS cache.

To get rid of the problem, the poisoned cache entries need to be populated with the correct info. I understand that your authoritative name server can initiate that.




Survival of the fittest • 68kg HP Color LaserJet behemoth • 38kg HP Color LaserJet giant • 82kg HP Netserver leviathan - Extinct 2015 • 61kg HP Netserver brontosaurus - Extinct 2010 • 32kg Compaq Proliant goliath - Extinct 2010 • 31kg 21" IBM CRT gargantua - Extinct 2010


xpd



Chief Trash Bandit
9138 posts

Uber Geek
+1 received by user: 1436

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 556675 11-Dec-2011 18:59
Send private message

Cheers, will go thru the info provided.... just hasnt been my week :)




XPD / Gavin / DemiseNZ

 

Server : i3-3240 @ 3.40GHz  16GB RAM  Win 10 Pro    Workstation : i5-xxxx @ x.xxGHz  16GB RAM  Win 10 pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, geeks, and more.    


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.