Hack attempt?
Hi
Look at your source and see if you can find tags in it with a value of 1 that links to the search site.
Kraai
Senior Poster
3,981 posts since Feb 2008
Reputation Points: 76
Solved Threads: 87
I posted a link to my personal website on Facebook. When I click the link to verify it works, I get a message from Safari saying the site I'm trying to visit may be hosting malware. The site it refers to is search-box.in, which is NOT my site. Does anyone know why I would be getting this? (I don't get the message if I visit my site directly).
I can't find a link to this URL in any site. I checked Facebook, and my site ( http://www.genevish.org/movies/Vacation/ ). Facebook has a redirect to facebook.com/search.php, but I don't see a reference to that URL there either. The DNS entries for that URL show it's in Russia, which makes me suspicious (in addition to the warning from Safari). Mostly I just don't want anyone else to get directed to that site.
genevish
Junior Poster in Training
64 posts since Apr 2010
Reputation Points: 9
Solved Threads: 12
OK, I did a little more digging. This seems to be a XSS attack that only happens when I'm signed into Google. I don't really know a lot about these attacks. Is it my problem, Googles problem, Facebooks problem...? Is it something I can fix?
genevish
Junior Poster in Training
64 posts since Apr 2010
Reputation Points: 9
Solved Threads: 12
I had a look around the interwebs, and it seems that this search-box.in is a known malicious site. It does seems that your site may be hacked, in such a way, that it only redirect when the face book url is the referer. Please check your .htaccess file for any redirects to search-box.in
Edit: You may also want to scan your computer for malware/trojans/etc and change all passwords
Kraai
Senior Poster
3,981 posts since Feb 2008
Reputation Points: 76
Solved Threads: 87
Yes, a .htaccess file was added with these redirects. I'm working with my hosting providers support desk to figure this out. Grrr...
genevish
Junior Poster in Training
64 posts since Apr 2010
Reputation Points: 9
Solved Threads: 12
Good, at least you found the problem. Now, best is to delete that .htaccess file if it is not one you are using yourself. Also, you have to scan your computer for nasties, and make sure you change all your passwords, like the pass to root, ftp, admin, emails, everywhere, even banking accounts.
Looking at the logs, you or your host should be able to see how access was accomplished. Normaly, a site is vulnurable thru 3rd party plugins, so make sure you also plug those holes.
Kraai
Senior Poster
3,981 posts since Feb 2008
Reputation Points: 76
Solved Threads: 87
We have a Wordpress site installed, which had a number of out of date plugins. I suspect that was the source of the changed .htaccess (I see many discussion posts about this same type of problem). I updated the plugins, and Wordpress itself (and changed all passwords).
genevish
Junior Poster in Training
64 posts since Apr 2010
Reputation Points: 9
Solved Threads: 12
Yes, that is correct. Normally wordpress gets updated, but the plugins not, I think we all make that mistake some time or another.
Kraai
Senior Poster
3,981 posts since Feb 2008
Reputation Points: 76
Solved Threads: 87
