My site seems to be hijacked... but only when visited from another site... how?

security web

My website is altoonadesign.com if you type it directly in your browser it takes you to the correct site. However if you do a search for "altoona design" and click on the link to my site you get redirected to a malicious site.

I tried this in google on chrome and in bing on IE. on different computers always with the same results. typing in the url directly takes you to my real site, clicking the link in the search results redirects you to the malicious site.

I am not sure how this is happening, how to undo it, or how to prevent it in the future?

update

clicking the link from here takes you to the malicious site too, so it seems clicking a link is what does it, but typing it in directly doesn't redirect you... how is that?


When viewing the source of your page, there's some code at the bottom that doesn't look like you put there:

<div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/passware-myob-key-crack.html'>Passware MYOB Key crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/newstarsoccer-crack.html'>NewStarSoccer crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/pcsentinels-busted-crack.html'>PCSentinels Busted crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/3dmark2001-crack.html'>3DMark2001 crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://www.asrtu.org/trust_crcks/acdsee50powerpack-crack.html'>ACDSee50PowerPack crack</a></div><div style='position:absolute;left:-2125px;width:1024px'><a href='http://keygen-0day.ws/database/My%20TypeArtist%201.000B/'>My TypeArtist 1.000B</a></div></body> 
<!-- InstanceEnd --></html> 
<script>check_content()</script>check_content()</script>

When using fiddler, and accessing your site thru google, i can see that it does go to your domain 1st, and then gets redirected before your whole page loads.

Check your php code, they probably put in some redirect code in your page.


I've not actually followed your link (no desire to meet a zero-day exploit), but what often happens when a server has been hacked is that code is put into any PHP files to check the referrer header and redirect either if the visit is from a search engine or if it's from anywhere not the current site.

This is done to try to prevent the owner of the site from realising the hack is in place, as you will probably usually visit the site directly rather than finding it through a search engine.

Related

How to change the polling interval of the Puppet master?
IIS 8 asp.net mvc HTTP Error 500.19
Is there any reason to keep the "Server" response header in Apache
How do I recall a specific command from command history, without executing it
Struggling to remove server from Rack
Why does the command 'apt install php' try to install Apache?
What brand(s) of hard disk has the lowest failure rates? [closed]
Writing a powershell script to copy files with certain extension from one folder to another
Check if directory exists using home character (~) in bash fails
Is there a safe way to store passwords used for ssh by a script?
POSTFIX: Limiting the rate at which a particular user can send email
Use LDAP for MySQL authentication?