I had been tipped off by a DotWeekly.com reader that my domain portfolio site (yofie.com) was "redirecting" them to a different site. Sadly for me, this is not the first time this has happened.
So I thought I was aware of the way the hacker was getting in but thought I had fixed it. I had a link exchange system set up and that’s how they (hackers) were getting in before and even after I thought it was fixed come to find out today.
Since many website owners do not visit their own sites all that often, it is a very tricky way to hack a website as most of the site will function like normal. With the site mainly being normal and many times users of the site do not contact the owner about the redirection or problem, this can stay hidden for quit some time while you keep losing traffic and likely trust in your site / service.
What the hacking was doing
It would pick random visitors to the site and simply redirect the user who visited the domain after about a 5 second delay and redirect them to another domain / site the hacker owns. In this case it was a parking page and used the hackers domain is vietbacschool.com .
Again because it is random, so some visitors simply stayed on the site / domain they visited in the first place and never noticed anything different. Sometimes if the user clicked a specific page tab on the site, then the redirection would take place to the hackers domain.
My question which I still do not have answered…. is this something done just via the code of the site or is it deeper and affecting the dns?
I changed DNS for my site earlier today to put up a different site using totally different code and my old site is still resolving. I know it can take up to 24-48 hours for the DNS to fully resolve, but I have never had to wait much longer then a couple minutes or up to maybe an hour at most for it to work!
I have used several DNS tools like Whois.sc and others and all those are showing my new DNS I set this morning, but the site still resolves to the old site and hosting…. I cleared cache data, used Ctrl+R and nothing…
So currently for me, this is a work in progress to clean up the mess!
I just wanted to share this hacking technique that clearly hackers are using on some websites and likely the website owner is not even aware they are losing traffic, have been hacked or redirection is taking place for some of their website visitors.
Patrick McDermott
Jamie,
Elliot Silver also wrote about blog security issues today.
http://www.elliotsblog.com/protect-your-wordpress-blog-8462
In the comment box, Owen Frager provided a really good link that you may find useful.
Jamie Zoch
@Patrick,
Thank you for the heads up but Yofie.com is not using wordpress, it was a custom build site. I did checkout the link though and thanks for point it out.
Dan B.
Jamie, had a similar thing happen to me in the past. I’m not sure if your having the same problem, but one of the sites selling plastic cards on occasions was being redirected to an adult site through google, bad image. Found out you need to be careful with some of the free link farms. Make sure you check them out before use. It took a week of emails and phone calls to fix it.
Richard
weird, the 5 second delay thing sounds like a meta refresh tag but those aren’t random and I’m unsure of how he would add that to your code, good luck & keep us updated.
Johnny
The domain is owned by Portfolio Brains. Would they be so blatant to do this without hidden Whois?
Jamie Zoch
@Johnny,
I noticed that as well, but since whois is really “who do you want to be” I figured the hacker just put in that info.. but one can really never tell. I did contact DomainSponsor who the domain was using for parking and appears the domain has been taken down. I wish I could find out who owns it…
Mike
Regarding your dns delay.. if you haven’t visited the site and change the dns, you will almost instantly see the new site.
If you visit the site few minutes before changing the dns, then it could take 12-24 hours depending on your ISP. You can manually refresh your dns by flushdns in DOS command but that usually doesn’t work. Alternatively, use a proxy site or a friend’s computer and you will instantly see the new site.
Mark Ford
I’m not entirely sure I understand the mechanics of this problem so maybe I’m responding too early to this… but I am thinking this sounds like they are providing links to a proxy of your site, that way they just inject a meta refresh into your html head. If that’s the case, there is little you can do abuot it except maybe *try* to contact them. Modifying your DNS is not going to fix this.
On second thought, you might be able to break out from their modification by either putting in your own redirection (to your own site) or by using some javascript. Both ways are cat-and-mouse situations and not guaranteed to be 100% effective because as a scraper or proxy of your site they can do anything.
You can also apply the above solution based on the IP address of their proxy.
NameSugar
Regarding the DNS delay, it most probably has nothing to do with the hacker. I’ve noticed DNS propagation taking a lot longer in the past few months than I’ve gotten used to. This is only my personal observation but it has been noticeably slower recently in my experience.
It used to take days so I think we’ve just all gotten spoiled with nearly instant DNS propagation.