Google search trojan? Please help!!

sullivan0067

I am the webmaster of my photography club website at www.clondalkincameraclub.com. In the last few days anyone searching for this (ie 'Clondalkin Camera Club') using google gets the club website in the first few returns as normal. However when you click on these returns the club website does not open, but the following malicious site does: http://wificafe-search.com/. It seems to have been hijacked by some type or trogan or virus asking you to download a spyware remover!:eek:
I have no idea how this has happened and how to remove this from our site so I would appreciate any advice very much!
Thanx in advance...

PS: The site can be acceessed as normal using the address bar. The problem is only manifesting in google searchs.

MunsterCycling

Just tried it there via google and got this:



This is a google issue, nothing to do with your site IMO.

The site loads normally when you click your link as you have said

MC

Bob the Builder

It would appear, on first view that the website is loading normally to normal users. However, what appears to be happening is that when clondalkincameraclub (CCC) is referred to/linked to by Google, it is basically redirecting to this website.

For this reason, I think this thread is best suited in web development forum.

In the mean time, try deleting or editing your '.htaccess' file within the www directory of the website. There may be a redirect card in here.

If not, then go to the first 5 lines of your 'index.php' or 'index.html' file and make sure there's no meta redirects.

Also, best thing of all, is while your waiting, submit a support ticket or email your host.

sullivan0067

Thanks very much fellas for the replies. This gives me somewhere to start to try and solve this...

sullivan0067

Went to access the remote files on the server and seem to be blocked out? Get a dialogue about checking username and password etc which are correct (Using Dreamweaver). I'm going to contact my host, any further ideas in the meantime would be appreciated...

Snowbat

There's something very odd happening on *your* webserver - when visited with the referrer set to google.com or altavista.com or search.msn.com (and probably other search engines also) it returns a 302 redirect to the malicious site. This doesn't seem to happen with other domains on the same server (eg. crystalcircle.org ferncliffhotel.com). I suggest you check your webserver control panel - the default document (DirectoryIndex in Apache) is probably set to a dodgy php script that's causing this.

$ curl -v -e 'google.com' http://www.clondalkincameraclub.com/
* About to connect() to www.clondalkincameraclub.com port 80 (#0)
*   Trying 193.22.244.27... connected
* Connected to www.clondalkincameraclub.com (193.22.244.27) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.0 (x86_64-mandriva-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 libssh2/0.18
> Host: www.clondalkincameraclub.com
> Accept: */*
> Referer: google.com
>
< HTTP/1.1 302 Found
< Date: Tue, 02 Dec 2008 23:24:06 GMT
< Server: NOYB
< Location: http://wificafe-search.com
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://wificafe-search.com">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at www.clondalkincameraclub.com Port 80</ADDRESS>
</BODY></HTML>
* Connection #0 to host www.clondalkincameraclub.com left intact
* Closing connection #0

sullivan0067

Thanks Snowbat,
I think you are right. I unfortunatley can't check the php script in my remote files as I am being denied access to my account for some reason? I have contacted my host and am awaiting a reply,

Thanks for advice...