I posted a link to my personal website on Facebook. When I click the link to verify it works, I get a message from Safari saying the site I'm trying to visit may be hosting malware. The site it refers to is search-box.in, which is NOT my site. Does anyone know why I would be getting this? (I don't get the message if I visit my site directly).
I can't find a link to this URL in any site. I checked Facebook, and my site (http://www.genevish.org/movies/Vacation/). Facebook has a redirect to facebook.com/search.php, but I don't see a reference to that URL there either. The DNS entries for that URL show it's in Russia, which makes me suspicious (in addition to the warning from Safari). Mostly I just don't want anyone else to get directed to that site.
OK, I did a little more digging. This seems to be a XSS attack that only happens when I'm signed into Google. I don't really know a lot about these attacks. Is it my problem, Googles problem, Facebooks problem...? Is it something I can fix?
I had a look around the interwebs, and it seems that this search-box.in is a known malicious site. It does seems that your site may be hacked, in such a way, that it only redirect when the face book url is the referer. Please check your .htaccess file for any redirects to search-box.in
Edit: You may also want to scan your computer for malware/trojans/etc and change all passwords
Good, at least you found the problem. Now, best is to delete that .htaccess file if it is not one you are using yourself. Also, you have to scan your computer for nasties, and make sure you change all your passwords, like the pass to root, ftp, admin, emails, everywhere, even banking accounts.
Looking at the logs, you or your host should be able to see how access was accomplished. Normaly, a site is vulnurable thru 3rd party plugins, so make sure you also plug those holes.
We have a Wordpress site installed, which had a number of out of date plugins. I suspect that was the source of the changed .htaccess (I see many discussion posts about this same type of problem). I updated the plugins, and Wordpress itself (and changed all passwords).