1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Are my sites I hacked?

Discussion in 'Security' started by yhbae01, May 17, 2014.

  1. #1
    My background is NOT sys admin (I'm more of a software developer), so I'm struggling with this issue right now.

    I'm currently running about 7 sites on a dedicated server. The sites were running fine yesterday and all of a sudden, they are having issues starting today. For some reason, it only affected 4 sites and they all show the following symptoms:

    - when I type the site url, it automatically redirects to some pages full of ads some popping up modal dialog boxes that won't die without killing the Chrome process.
    - when I observed very quickly, I saw something like ww20.<rest of url> then directs quickly to those bad pages.
    - any combination of the URLs *.<a site>/* causes the redirection.
    - if I do wget ww20.<a site> from the linux command line, it says the domain does not exist. This leads me to believe that perhaps this is a client side issue.
    SEMrush
    I checked:

    - .htaccess - nothing suspicious there.
    - index.php or index.html files have NOT changed - their last write dates are well before today's date.
    - this happens on ALL of my devices including a Windows 8 laptop, my wife's Windows XP laptop, my Android tablet and my Android phone. I've never heard of a malware that simultaneously affects both Windows machines and Android devices...
    - I tried to tether through my phone. Same results from all of my devices.
    - Sys Admin from the hosting company ran some malicious catch scripts. Found nothing.
    - My Adsense earnings have NOT stopped. They are coming in, but perhaps a bit slower than usual. It isn't obvious at all.

    So what's happening? I can send you the URL to one of my site if you can help (don't want someone to think I'm advertising my site here).

    Thanks for any help in advance!
     
    yhbae01, May 17, 2014 IP
    SEMrush
  2. Tier_net

    Tier_net Active Member

    Messages:
    35
    Likes Received:
    5
    Best Answers:
    3
    Trophy Points:
    58
    #2
    You would first have to rule out that it is not client-side. Does the same thing happen from other PCs? Other browsers? If it does, it is likely compromised. Please feel free to PM me your URL(s) and I'll check from my end.
     
    Tier_net, May 20, 2014 IP
  3. sarahk

    sarahk iTamer Staff

    Messages:
    26,915
    Likes Received:
    4,101
    Best Answers:
    117
    Trophy Points:
    665
    #3
    I'm happy to check too. If it's happening to everyone then it's likely someone has hacked your theme files.
     
    sarahk, May 20, 2014 IP
  4. GFX2

    GFX2 Well-Known Member

    Messages:
    764
    Likes Received:
    79
    Best Answers:
    8
    Trophy Points:
    125
    #4
    Check your local files maybe you have a virus or something.
    Sometimes viruses attack windows host file so it will manually redirect any domain that you type ( for example google.com to 'fake' googlex.com ).

    Check out the location of it:
    http://en.wikipedia.org/wiki/Hosts_(file)
     
    GFX2, May 20, 2014 IP
  5. qwikad.com

    qwikad.com Illustrious Member Affiliate Manager

    Messages:
    6,748
    Likes Received:
    1,476
    Best Answers:
    25
    Trophy Points:
    425
    #5
    It looks more like your browsers have been hacked. And since you're all probably on the same network all other computers / devices got hacked as well.

    Download, install and run avira: http://www.avira.com/en/avira-free-antivirus

    It's available for PC, Mac, Android and iOS. The scan may take up to 2 hours per device (usually less). It'll take care of anything and everything you shouldn't have on your computers.
     
    qwikad.com, May 20, 2014 IP
    Nigel Lew likes this.
  6. Nigel Lew

    Nigel Lew Notable Member

    Messages:
    4,640
    Likes Received:
    403
    Best Answers:
    21
    Trophy Points:
    295
    #6

    Nice suggestion. I still run Avast as it has never failed me(as far as I know lol..) and seems to have a slightly lower footprint on my rig.

    Avira is awesome stuff though. Likely the best on the market. I used to love the stuff from Kasperky Labs but last I checked that stuff totally killed my comp it used so much resource.
     
    Nigel Lew, May 20, 2014 IP
  7. yhbae01

    yhbae01 Active Member

    Messages:
    159
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #7
    I suspected perhaps my PC was infected so I ran 7 different (well known) Malware/Antivirus apps. None of them have found any issues. I even ran 2 scanners on my Android devices too, and they found nothing. I always run anti-virus and they never failed me in the past either. I suspect this is more than just a client-side issue.

    I'll send the URL to those who are willing to help - thanks in advance! :)
     
    yhbae01, May 21, 2014 IP
  8. yhbae01

    yhbae01 Active Member

    Messages:
    159
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #8
    No theme files here - its just a custom PHP written site in this case...
     
    yhbae01, May 21, 2014 IP
  9. Nigel Lew

    Nigel Lew Notable Member

    Messages:
    4,640
    Likes Received:
    403
    Best Answers:
    21
    Trophy Points:
    295
    #9
    Nigel Lew, May 21, 2014 IP
  10. yhbae01

    yhbae01 Active Member

    Messages:
    159
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #10
    Sitecheck checks out fine!
     
    yhbae01, May 21, 2014 IP
  11. sarahk

    sarahk iTamer Staff

    Messages:
    26,915
    Likes Received:
    4,101
    Best Answers:
    117
    Trophy Points:
    665
    #11
    Just looking at one of these sites. I went to whatsmydns.net this morning and looked up one of the sites and repeated the search just now. Here's what I get now.

    www
    upload_2014-5-22_11-44-49.png
    looking just at Auckland, NZ - the IP this morning was 95.211.9.52

    ns1
    upload_2014-5-22_11-44-18.png

    ns2
    upload_2014-5-22_11-43-48.png

    I wonder if changing to your hosts nameservers might help identify the problem. I've never seen anything like this before.
     
    sarahk, May 21, 2014 IP
  12. yhbae01

    yhbae01 Active Member

    Messages:
    159
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #12
    I've tried changing it already. I even tried changing the hosting company. Nothing seems to help...
     
    yhbae01, May 21, 2014 IP
  13. Nigel Lew

    Nigel Lew Notable Member

    Messages:
    4,640
    Likes Received:
    403
    Best Answers:
    21
    Trophy Points:
    295
    #13
    You can pm me a link. Happy to take a look. I am always up for a good caper lol.

    Nigel
     
    Nigel Lew, May 21, 2014 IP
  14. ryan_uk

    ryan_uk Illustrious Member

    Messages:
    3,983
    Likes Received:
    1,022
    Best Answers:
    33
    Trophy Points:
    465
    #14
    Reading your opening post - and maybe it's just the way it's written, but is it only yourself having these problems? Or do other people? As an example:
    You are always mentioning about yourself. We need to unequivocally establish whether it is just yourself impacted or if other people are seeing the same problem.

    I am guessing the IP changes sarahk noticed are due to you changing hosting companies and propagation had not fully completed.
     
    ryan_uk, May 21, 2014 IP
  15. yhbae01

    yhbae01 Active Member

    Messages:
    159
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #15
    Its a bit deeper than that. One of my site is quite well known in its hobby sector and forums around the world are reporting that this site is having issues and only happens to some of them. Based on what I see in whatsmydns.net, I'm not surprised - more than half of the IPs listed there are not mine...
     
    yhbae01, May 22, 2014 IP
  16. ryan_uk

    ryan_uk Illustrious Member

    Messages:
    3,983
    Likes Received:
    1,022
    Best Answers:
    33
    Trophy Points:
    465
    #16
    Which is yours?
     
    ryan_uk, May 22, 2014 IP
  17. yhbae01

    yhbae01 Active Member

    Messages:
    159
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #17
    The correct IP should read 174.136.13.197. Everything else goes to some pages I don't own.
     
    yhbae01, May 22, 2014 IP