Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 10, 2016, 12:34:21 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: my website hijacked  (Read 5009 times)

tsaint

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 451
  • Hi from the a*** end of the earth
    • View Profile
    • Read more about this member.
    • Donate to Member
my website hijacked
« on: December 13, 2011, 07:57:01 PM »
I have a website at www.worumba.com
If I point at an image, which is supposed to link to www.worumba.com/artwork/art.html, I see this address in the status bar. However, clicking the image takes me to :
http://brendarco.ru/original/index.php

I'm sure this arises from me originally adding an htaccess file, making the default somefile.html instead of default.html or index.html.
I set the permissions to 644. In the last few days, this file got changed (not by me) and hence the current problem.

 Ive deleted the htaccess file, I've tried replacing it with first a blank htaccess file, then a file with just a redirect for 404 errors, in case blank htaccess files didnt even get "looked at". However none of these fix the problem of redirection to a russian domain.
 
If I search for "worumba" in google, one of the returned links shows as www.worumba.stuff, but clicking it takes me to http://maildigi.ru/snipe/index.php

My 2 obvious questions are (a) how to fix this mess and (b) since the problem originated with my htaccess file (I think), what permission apart from 644 should I have used to prevent this happening in the future?
Thanks for reading this
tony

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,296
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: my website hijacked
« Reply #1 on: December 13, 2011, 09:47:50 PM »
For what it's worth, you site works fine for me now. It is possible you may have a DNS issue - corrupt/invalid cached lookup somewhere between you and the server.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: my website hijacked
« Reply #2 on: December 13, 2011, 11:19:37 PM »
For what it's worth, you site works fine for me now. It is possible you may have a DNS issue - corrupt/invalid cached lookup somewhere between you and the server.


It works fine for me, also.

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,982
    • View Profile
    • Donate to Member
Re: my website hijacked
« Reply #3 on: December 14, 2011, 12:18:06 AM »
First link works fine but the second link made my Opera crash. (I don't know about websites though, just adding to what others have said.)

tsaint

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 451
  • Hi from the a*** end of the earth
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: my website hijacked
« Reply #4 on: December 14, 2011, 03:40:01 AM »
thanks so much for testing for me.
 sadly, whilst the first link from the google search works fine, all the subheading links below the first heading - the worumba experience, About Mary and Lindsay,About Worumba Station,untitled - still send you to russia.
 Going directly to www.worumba.com works, but clicking on any links on that default page also directs to russia.

It's not just me, but for anyone. So the corrupted DNS explanation can't be right (I think, given I'm not knowledgeable about these matters)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: my website hijacked
« Reply #5 on: December 14, 2011, 04:11:18 AM »
It's not just me, but for anyone. So the corrupted DNS explanation can't be right (I think, given I'm not knowledgeable about these matters)

That's what I tried.  In fact, I clicked on all of the links on your site, and none of them went to russia.

tsaint

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 451
  • Hi from the a*** end of the earth
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: my website hijacked
« Reply #6 on: December 14, 2011, 05:10:48 AM »

Thank you. Since the last time I posted, I found a lot of .htaccess files in various directories. I removed them all I think, but the site still was misbehaving for me. Checking just after seeing your reply, I found all to be working ok finally.
Again, thank you to everyone who took the trouble to check it out for me, it's much appreciated
tony

That's what I tried.  In fact, I clicked on all of the links on your site, and none of them went to russia.

joiwind

  • Participant
  • Joined in 2009
  • *
  • Posts: 484
  • carpe momentum
    • View Profile
    • Donate to Member
Re: my website hijacked
« Reply #7 on: December 14, 2011, 06:25:52 AM »
Jumping in at the end of this one.

Last night the servers that host my pop3 accounts and some of my domains were hacked and all the servers were down - my index pages were blank with just the words :

F***ed By : Secure-X41

I managed to get through to the company by hotmail and they are working 24/24 to get things back to normal for everyone, they said someone had accessed their servers through a site and I'm hoping it's not mine !

I searched using the above text as keywords and some weird stuff came up that I didn't want to follow - but has anyone heard of "Secure-X41" ?

.: I use K-Meleon - the browser you can control - but I love Pale Moon too :.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: my website hijacked
« Reply #8 on: December 14, 2011, 06:37:46 AM »
Thank you. Since the last time I posted, I found a lot of .htaccess files in various directories. I removed them all I think, but the site still was misbehaving for me. Checking just after seeing your reply, I found all to be working ok finally.
Again, thank you to everyone who took the trouble to check it out for me, it's much appreciated
tony

That's what I tried.  In fact, I clicked on all of the links on your site, and none of them went to russia.

Have you checked your own computer is not compromised - try doing a malware scan just in case your own computer is doing the redirecting.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,100
    • View Profile
    • Donate to Member
Re: my website hijacked
« Reply #9 on: December 14, 2011, 06:57:28 AM »
In addition, open a 'DOS-box' and type in there:
IPCONFIG /flushdns

This cleans out DNS entries that your PC has been 'collecting' during your surf sessions. By default Windows stores these for 24 hours, if memory serves me right.

tsaint

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 451
  • Hi from the a*** end of the earth
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: my website hijacked
« Reply #10 on: December 14, 2011, 08:06:23 AM »
Steps I've taken...
1. scanned MY computer. Since other people reported the hijacking, didnt expect this to fix anything
2. Replaced all instances of hacked htaccess files with a benign versions. The hacked ones returned and I replaced them again.
3. Checked all htaccess files were chmodded to 644.
4. Changed control panel and ftp passwords
5. Flushed DNS as per advice.

Last check shows all is normal but I'll be interested (nay, scared!) to see what the morning brings.
Again, thanks for the interest and suggestions
tony
Edit: I just rechecked. With firefox and opera,  the site works fine. With chrome, I get the russian redirect behaviour. I've cleared browsing data in all.
« Last Edit: December 14, 2011, 08:16:49 AM by tsaint »

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: my website hijacked
« Reply #11 on: December 14, 2011, 11:05:16 AM »
Using Chrome here found no issues - do you use Chrome Sync? Wonder if there is any caching going on in there?

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,913
    • View Profile
    • Donate to Member
Re: my website hijacked
« Reply #12 on: December 14, 2011, 03:34:59 PM »
Domain parent and all internal links working correctly in Chrome here.  4:34 PM EST  (UTC-5 hrs)

Jim