+ Post New Thread
Results 1 to 12 of 12
Windows Thread, Google results hijacked... in Technical; Hi All We have an odd situation here that I wonder if you could try and replicate... Several times over ...
  1. #1

    CESIL's Avatar
    Join Date
    Nov 2006
    Location
    Hampshire
    Posts
    1,404
    Thank Post
    109
    Thanked 267 Times in 198 Posts
    Rep Power
    169

    Google results hijacked...

    Hi All

    We have an odd situation here that I wonder if you could try and replicate...

    Several times over the past week users have called me to look at a virus alert that they have got on their computer...

    ...thing is it is not a real virus alert, just a web page that looks like a windows screen with a fake virus scan running that then offers a download of an anti-virus package.

    I have been investigating and have found the following...

    If I search Google for "free subtraction worksheets" or other education related terms I get a page of results that work ok.

    If I then tick the radio control for "pages from the uk" and search again I get results as usual but some of them have links in the form http://xxxxxxxxx.yy.zz/fyprwa/bfz.ph...ion+worksheets where the domain appears to be genuine but the link takes me to the fake virus scanner.

    I am trying to determine whether this is a google issue or an infection at our end...can anybody else replicate my problem?

  2. #2

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,250
    Thank Post
    404
    Thanked 630 Times in 575 Posts
    Rep Power
    185
    It's the same here.

    activebrokers.co.uk/ytpcsr/fzx.php?dyza...subtraction+worksheets
    ispycctv.net/cwnpmv/sqa.php?vgrf=subtraction...worksheet

  3. #3

    SYSMAN_MK's Avatar
    Join Date
    Sep 2005
    Posts
    4,009
    Thank Post
    490
    Thanked 1,345 Times in 731 Posts
    Rep Power
    429
    Yep same as here.
    Last edited by SYSMAN_MK; 20th January 2010 at 02:44 PM.

  4. #4
    smadison's Avatar
    Join Date
    Sep 2007
    Location
    UK
    Posts
    100
    Thank Post
    2
    Thanked 30 Times in 25 Posts
    Rep Power
    20
    Works fine from here as my search gives me the google page with results such as maths worksheets

  5. #5

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,250
    Thank Post
    404
    Thanked 630 Times in 575 Posts
    Rep Power
    185
    Quote Originally Posted by smadison View Post
    Works fine from here as my search gives me the google page with results such as maths worksheets
    Oh it works but there are links on page 1 and page 2 such as those above.

  6. #6

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    Very, very interesting. It does look like a Google issue. I wonder if it's related to the attacks on Google recently?

  7. #7

    Join Date
    Sep 2006
    Location
    West Midlands
    Posts
    410
    Thank Post
    73
    Thanked 75 Times in 58 Posts
    Rep Power
    44
    Does anyone know how to read (rather than execute) the "bfz.php" or similar file that is provided in the Google links? Looks like Google is just indexing loads of compromised web-sites, rather than being at fault itself?

    Running Firefox with NoScript just seems to pull up a page of junk (text and further links), so maybe it is some script kicked of by PHP that gives the virus scanner message (and i don't want to risk running it, hence wondering what the source of the PHP code is)?

    mb

  8. #8

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Quote Originally Posted by Michael View Post
    Very, very interesting. It does look like a Google issue. I wonder if it's related to the attacks on Google recently?
    I think it's more that those pages have a low rank on google.com but high rank on google.co.uk - if you switch to a filtered search where it shows you when the pages appeared on Google, they're very spread out - not all in the last week etc. Looks more like it's a compromised site issue where the randomly named php script is uploaded onto a site open to some kind of exploit.

    Edit - if you're bored enough to nslookup a few of the sites in those results it seems to confirm what I said above, very small IP range, probably a few compromised servers on a webhost somewhere...

    Code:
    Default Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    > activebrokers.co.uk
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    activebrokers.co.uk
    Address:  79.170.40.230
    
    > clmi.co.uk
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    clmi.co.uk
    Address:  79.170.40.247
    
    > theilliteratekniferack.com
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    theilliteratekniferack.com
    Address:  79.170.40.230
    
    > jim-gray.co.uk
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    jim-gray.co.uk
    Address:  79.170.40.10
    
    > hackersunited.co.uk
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    hackersunited.co.uk
    Address:  79.170.40.10
    
    > formbyurc.co.uk
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    formbyurc.co.uk
    Address:  79.170.40.10
    Final edit - definitely a host issue. If you wget the pages with and without a google.co.uk referrer you will get the normal text without google referrer and a 302 redirect to the malware site if used. This came up ages ago, can't find the thread I posted in about the compromised site - I know it was one with school related bits on...
    Last edited by OutToLunch; 20th January 2010 at 03:47 PM.

  9. #9

    Join Date
    Sep 2006
    Location
    West Midlands
    Posts
    410
    Thank Post
    73
    Thanked 75 Times in 58 Posts
    Rep Power
    44
    I have reported this to Heart Internet, who appear to be hosting the compromised web-sites!

    mb

  10. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    I agree from the nslookups it is a host issue. I particularly like this domain name:

    theilliteratekniferack.com
    Just seems very random! I wonder what kind of website it really is?

  11. #11

    Join Date
    Feb 2009
    Posts
    88
    Thank Post
    7
    Thanked 6 Times in 4 Posts
    Rep Power
    13
    I get this warning from Google Chrome when I click on the link.

    "Malware Detected!
    Warning: Visiting this site may harm your computer!
    The website at sweetlemongrass.com appears to host malware - software that can hurt your computer or otherwise operate without your consent. Just visiting a site that hosts malware can infect your computer.
    For detailed information about the problems with this site, visit the Google Safe Browsing diagnostic page for ------------.com."

  12. #12
    mossj's Avatar
    Join Date
    Dec 2008
    Location
    Leicester
    Posts
    1,466
    Thank Post
    157
    Thanked 189 Times in 174 Posts
    Rep Power
    52
    it's compromised sites, not hosts or search engines. Rather than inject a virus stright into the code a hacker has made it so you only get it if you go through search engines.

    After all what webmaster google's his own site?
    Last edited by mossj; 20th January 2010 at 09:42 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 3rd December 2009, 03:15 PM
  2. Results, how do you do them?
    By zag in forum MIS Systems
    Replies: 22
    Last Post: 17th November 2009, 10:34 PM
  3. Bebo coming up on google results for school
    By Dave01 in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 19th March 2009, 08:12 PM
  4. Results
    By ctbjs in forum ICT KS3 SATS Tests
    Replies: 21
    Last Post: 9th July 2007, 05:57 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •