Hi
Look at your source and see if you can find <iframe> tags in it with a value of 1 that links to the search site.
Kraai
56
Senior Poster
Featured Poster
genevish
-2
Junior Poster in Training
I posted a link to my personal website on Facebook. When I click the link to verify it works, I get a message from Safari saying the site I'm trying to visit may be hosting malware. The site it refers to is search-box.in, which is NOT my site. Does anyone know why I would be getting this? (I don't get the message if I visit my site directly).
I can't find a link to this URL in any site. I checked Facebook, and my site (http://www.genevish.org/movies/Vacation/). Facebook has a redirect to facebook.com/search.php, but I don't see a reference to that URL there either. The DNS entries for that URL show it's in Russia, which makes me suspicious (in addition to the warning from Safari). Mostly I just don't want anyone else to get directed to that site.
genevish
-2
Junior Poster in Training
OK, I did a little more digging. This seems to be a XSS attack that only happens when I'm signed into Google. I don't really know a lot about these attacks. Is it my problem, Googles problem, Facebooks problem...? Is it something I can fix?
Kraai
56
Senior Poster
Featured Poster
I had a look around the interwebs, and it seems that this search-box.in is a known malicious site. It does seems that your site may be hacked, in such a way, that it only redirect when the face book url is the referer. Please check your .htaccess file for any redirects to search-box.in
Edit: You may also want to scan your computer for malware/trojans/etc and change all passwords
genevish
-2
Junior Poster in Training
Yes, a .htaccess file was added with these redirects. I'm working with my hosting providers support desk to figure this out. Grrr...
Kraai
56
Senior Poster
Featured Poster
Good, at least you found the problem. Now, best is to delete that .htaccess file if it is not one you are using yourself. Also, you have to scan your computer for nasties, and make sure you change all your passwords, like the pass to root, ftp, admin, emails, everywhere, even banking accounts.
Looking at the logs, you or your host should be able to see how access was accomplished. Normaly, a site is vulnurable thru 3rd party plugins, so make sure you also plug those holes.
genevish
-2
Junior Poster in Training
We have a Wordpress site installed, which had a number of out of date plugins. I suspect that was the source of the changed .htaccess (I see many discussion posts about this same type of problem). I updated the plugins, and Wordpress itself (and changed all passwords).
Kraai
56
Senior Poster
Featured Poster
Yes, that is correct. Normally wordpress gets updated, but the plugins not, I think we all make that mistake some time or another.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.