Google results redirect to wrong website (stright url is ok)

Post any issues or suggestions you may have with the website or forums here.
DW_Wine_Flu
DW Clan Member
Posts: 112
Joined: Tue Jan 05, 2010 1:40 pm
Location: New York, NY

I have confirmed that the link returned by a google search for "clandw" does indeed return a bogus/infected site. Sokoro is right. That's all I can/will say.
Generic Humorous Forum Sig
AS-Cubes4All > AS-TorlanEvolution > AS-OpportunityKnocks > AS-BP2-AcatanaEvolution
Sokoro
Camper
Posts: 58
Joined: Thu Dec 09, 2010 11:10 am

This is an error message which I received when I tried to connect through google results with IE 10:

Warning: file_get_contents() expects at most 2 parameters, 3 given in /homez.149/elixirbi/www/index_backup.php on line 1

Futher indicating that you have rogue files in your root php library. Please do something.
Also I found other websites which redirect with such error.
Last edited by Sokoro on Sat Jul 13, 2013 2:26 pm, edited 1 time in total.
I made an AM character just to be able to use electromagnet in safe spots with 500 adrenaline and rejuvation weapon +5
Sokoro
Camper
Posts: 58
Joined: Thu Dec 09, 2010 11:10 am

Thread of somebody having very similiar problem.. and outdated joomla like you..
http://forum.joomla.org/viewtopic.php?f=432&t=648775

Yes you have outdated joomla!
http://sitecheck.sucuri.net/scanner/?sc ... clandw.org

Also your website seems to be working very slow.. It takes several seconds before it redirect me to end of the thread with my post posted.. after I click [Submit]

I have 165ms 3.63mbps down 3.17mbps up from Pilsen to Tempe... that is ok I guess.... for being across the globe.. maybe you should upgrade your server's internet connection... I have the best in my state.
I made an AM character just to be able to use electromagnet in safe spots with 500 adrenaline and rejuvation weapon +5
Sokoro
Camper
Posts: 58
Joined: Thu Dec 09, 2010 11:10 am

Security warning in the URL:
http://www.clandw.org/resources/fullgam ... e-tracker-

Suspicious domain detected:
http: //1006jrfjhjr.dynamicdns.org.uk:85/SNrXO5eZUmezafp1VSscRaEmTDduhjoEBK5 (infected do not go there)

A suspicious code was identified loading content from a blacklisted domain. Those types of code are often used to distribute malware from external web sites while not being visible to the user.

EDIT: hmm I just did a rescan and it no longer return this detection.. but you still have outdated joomla and that is a security issue.
I made an AM character just to be able to use electromagnet in safe spots with 500 adrenaline and rejuvation weapon +5
DW_Bomzin
Site Admin
Posts: 2241
Joined: Mon Dec 26, 2005 12:00 am
Xfire: bomzin
Location: Layton,Utah

Ok not sure what is up. Google webmaster says we are clean. I can only duplicate this going through google Brazil. I don't believe the site to be infected still. Yes am working on the upgrade but everything has changed so it's going to take some time. Hopefully before the New Year we get it done.

I am just on a fresh install. Loaded Chrome. Searched for clandw. Pulled us up just fine. Open for suggestions. I guess we could try contacting google brazil.
Sokoro
Camper
Posts: 58
Joined: Thu Dec 09, 2010 11:10 am

Just something I found.. you are on a list:
http://evuln.com/labs/www.google.com.br/

First three letters for the infected websites are censored.. so search for "ndw.org"

and this!:

http://evuln.com/tools/malware-scanner/clandw.org/

"The website redirects visitors from search engines to the 3rd-party URL:
->http://www.elixir-bienetre.com/includes ... img/js.php
684 websites infected."

Little guide: http://evuln.com/hacked/redirect.html

Edit:
Seems that it is a chain of redirects, which send users acros several infected websites and then to google.br
http://evuln.com/tools/malware-scanner/ ... ellaun.de/
I made an AM character just to be able to use electromagnet in safe spots with 500 adrenaline and rejuvation weapon +5
Sokoro
Camper
Posts: 58
Joined: Thu Dec 09, 2010 11:10 am

I did this check:
http://urlquery.net/report.php?id=3735596

And it seems that you have http transaction with google.com.tr which is turkish google. That is really fishy.. could you explain?

unmaskparasites.com scan on clandw.org shows this hidden external link:

<IFrame> hidden link - http: //www.google.com.tr/url?sa=t&rct=j&q=seo& ... 5608,d.Yms

turkish... goes to some turkish website about who knows what..

This reports the external link, hidden in iframe, and 56 sucpicious files with the link
http://www.quttera.com/detailed_report/www.clandw.org
I made an AM character just to be able to use electromagnet in safe spots with 500 adrenaline and rejuvation weapon +5
User avatar
christmas
1337 Haxor
Posts: 237
Joined: Sun Mar 10, 2013 6:30 pm

its the turkish kebab that does all the damage.... :blackeye:

I have to confirm with sokoro that everytime I post a reply (clicking the "submit" button) it takes too much time for me also for the post to be submitted and the page to be fully refresh-ed. (which personally is the only web-page/forum that I have this isuue)...but i assumed it had to do with the server load/bandwidth....

besides that, I never had a "weird" redirect from google results for clandw....

ps: even microsoft suggests users NOT to use IE

ps2: page layout of the forum is wider by 100-200px (horizontal res)
DW_Bomzin
Site Admin
Posts: 2241
Joined: Mon Dec 26, 2005 12:00 am
Xfire: bomzin
Location: Layton,Utah

Sokoro wrote:I did this check:
http://urlquery.net/report.php?id=3735596

And it seems that you have http transaction with google.com.tr which is turkish google. That is really fishy.. could you explain?Nope, Have no idea

unmaskparasites.com scan on clandw.org shows this hidden external link:

<IFrame> hidden link - http: //www.google.com.tr/url?sa=t&rct=j&q=seo& ... 5608,d.Yms

turkish... goes to some turkish website about who knows what..I manually went through and took out the bad code, possible I missed something but I'm not seeing a bunch of infected files again. Hidden link in a I-frame. How the hell do I track that down. I didn't write the code nor am I smart enough. I did paste it all together thought with what I thought to be reputable stuff.

This reports the external link, hidden in iframe, and 56 sucpicious files with the link
http://www.quttera.com/detailed_report/www.clandw.org
Now that is interesting says the 1 malicious code is a .gif, maybe I didn't get to the root of it. Will be killing a gif
Sokoro
Camper
Posts: 58
Joined: Thu Dec 09, 2010 11:10 am

hmm those hidden iframes could be just some trick to get better google pagerank for the websites which are linked in them, since both (yes there is currently another one: www .seo.mavi1.org ) of those turkish websites seems to be clean.
You should contact someone from joomla masters/admins to ask them if it is intentional or infection.

Did you all change passwords and scanned your computers after the event when website was down?
I read that hackers sometimes use your own computer to infect your website through ftp.

You are still redirecting: http://evuln.com/tools/malware-scanner/ ... rg/rescan/

Edit: another website comfirming the redirect: http://aw-snap.info/file-viewer/?tgt=ht ... &ua_sel=ff

So you are still infected... you need to do something, try to ask on some forums for help.. eg:
https://www.badwarebusters.org
http://productforums.google.com/forum/? ... cked-sites
I made an AM character just to be able to use electromagnet in safe spots with 500 adrenaline and rejuvation weapon +5
Post Reply