Web Weirdness

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Can someone tell me why:

1) I can access a website if I type the URL (not IP address) in the browser address window

2) But if I search for that business's name and Google shows me the same exact URL in the search results, and I click that search result link, I go to the correct web site but within 2 seconds the browser goes to another business's website?

The above two scenarios have been pretty consistent for the last 2-3 days.

I have never encountered this before in some 17 years of web use.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Number 1 can be explained by the use of host headers on a server with multiply websites.

I'm with Merc on number 2.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
When you click a link on Google, you're actually redirected through a Google URL to the destination site, rather than being sent directly to the URL you've clicked, e.g.

https://www.google.com/url?sa=t&rct...=_OeAKF6MLFyCLHTiKHaTeQ&bvm=bv.96783405,d.b2w

to go to https://www.victoriassecret.com/panties/thongs-and-v-strings (link is mildly NSFW if people are uptight about hot chicks who are still technically wearing clothes).

Anyway, you've got something that's hijacking or malforming that URL for some reason. Everything I've seen that does something like that is malware, but it may be some weirdo browser addon that thinks it's helping you somehow.

I'd suggest starting with adwcleaner followed by Malwarebytes.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Thanks guys. :(

But usually Goofgle will say "Malware Detected!" when oe wants to go through Google to a bad site. Got nothing of the kind. Like I said, the site actually loaded, then withing 2 secs went to another site.

FWIW, the site I wanted to go to was a local mattress manufacturer, the site I was redirected to was a women's clothing site showing prices in USD. Didn't bother to see where the two sites were hosted or where the second site's business is located.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
ADW found a few things; log file attached. Don't know if these were there prior to my issue with the web site. Rebooted and ran it again; no problems found.

Followed by Malwarebytes; no issues found.

Thanks Merc, and all.
 

Attachments

  • 2015-06-29 ADW Log.txt
    2.2 KB · Views: 3

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
But usually Goofgle will say "Malware Detected!" when oe wants to go through Google to a bad site. Got nothing of the kind. Like I said, the site actually loaded, then withing 2 secs went to another site.

Google's Malware tracker is looking at script code and downloaded executables. I strongly suspect in this case the malware is already on your PC.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
You might want to nuke your Chrome install and all the seven zillion places it puts components of its configuration, just to be safe. Reload from Ninite or something.
Do the improper behaviors occur in Firefox or IE?
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Same behaviour in Firefox. I never use IE. Other than this one issue, nothing odd in system behavior (I never find anything on Malware scans I do periodically). Since adwcleaner could not find anything wrong with Chrome on the second try, do you still think I should nuke Chrome?
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
ISP? Haven't heard of this before, but certainly technically quite possible. The USD prices make this unlikely though ...

Do you have another PC you can try, or even a phone or tablet on WiFi?
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Acutal Site I want to go to: duroflex.

Google it. Search results correctly come up with duroflexworld.com/ Clicking the search link goes to duroflexworld.com, but within 2 seconds you will end up with http://www.shoppingfordress.com/

If you type duroflexworld.com in the browser address bar, you will stay at duroflexworld.com
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
On a known-clean Windows install, clicking the link from Google does not exhibit that behavior but there does seem to be a mysterious issue with sites being redirected specifically to Shoppingfordress.com. Apparently people are getting server-side redirects to that one specific other site, so most likely there's a worm or something going around that's infecting server-side code. I couldn't tell you if anyone at Duroflex knows about it, but probably not.

The good news is that it's not you.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
I suspect the running script is reacting to the link referrer or something and it might be embedded in an ad or CDN embedded image that's being filtered when I look. I can't really say 'cause I can't see the behavior but their web person needs to look at it.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
If I google Duroflex and click on any of the links, I am redirected to shoppingfordress.com.

So it's not only nothing to do with you, it's nothing to do with your ISP or country either. No idea why it doesn't affect Merc, except that he lives in the center of the universe.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
As Mubs says, if you type the URL into the address bar, there is no problem.

Also affects Firefox and IE. On my phone, affects Chrome and the default Android browser.

Still affects Google if you load their web page and try to type in the search that way.

BUT, it doesn't affect other search engines if you load their site and type in "duroflex". Wow, I can see where this is going ...

I suspect this is an absolutely epic hack; possibly a dry run. The dress website has no phone number, email address or physical address, BTW.

I'd love to know how they're doing it.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Yeah, it is this redirect that is confusing, cause going direct to Duroflex without Google does NOT redirect. Initially I thought Duroflex changed hosting providers, their old IP address was assigned to Shoppingfordress, and the change had not propagated to all the DNS servers. But the strange thing is that the Google link does land you initially at duroflexworld.com and the redirect happens after that.

SD, what doesn't affect you? Are you saying you don't get the redirect?
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Still affects Google if you load their web page and try to type in the search that way.
As I said, not here (with Firefox 38.0.5 with ABP and NoScript). I tried messing with the scripting settings for duroflexworld using noscript, but that didn't make any difference.

SD, what doesn't affect you? Are you saying you don't get the redirect?
Yes, that's exactly what I'm saying. I click on the Google search results for duroflexworld and end up at duroflexworld, not shopfordress.

When I tried it in IE11 I end up at shopfordress.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
21,564
Location
I am omnipresent
I can't make it happen, but I tend to work from odd combinations of browser, platform and addon installation. My thinking is that there's a server-side script that interacts with certain combinations of identified user agents and referrers. When I look at the DuroFlexworld Page, I can't really see what benefit there would be to hijacking that specific site, so I wonder if it's just a matter of data collection or proof of concept for a wider hack. At any rate, something that might be interesting would be to use a tool that allows the capture of full HTTP response headers, especially on a machine impacted by the redirect.

HTTPfox
IEInspector
Live HTTP Headers (Chrome)
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Using Live HTTP Headers:
90 http://duroflexworld.com/swf/location.swf
91 http://duroflexworld.com/swf/certificates.swf
92 https://www.google.com.au/url?sa=t&..._zFCfJV4PDQjyb4vTM75tNA&bvm=bv.96952980,d.dGY
93 http://www.shoppingfordress.com/

Note the .au suffix for google.com. I suspect clicking on that link will trigger it.

With Firefox, I found that AdBlock doesn't touch it, but NoScript kills it dead, even with every option disabled.
For Chrome, the store suggested ScriptSafe and NoScript Suite Lite, both of which silently blocked Google searches completely!
ScriptBlock did the business, so I'll now be installing that on every Chrome installation I come across.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
ScriptBlock for Chrome stopped the redirection to shoppingdress.com. Unfortunately, it also stops some other sites working in a reasonable manner unless you add them to the whitelist.

NoScript for Firefox stopped it even with "Allow Scripts Globally" enabled. Still looking for this kind of subtle fix for Chrome et al.
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
My thinking is that there's a server-side script that interacts with certain combinations of identified user agents and referrers. When I look at the DuroFlexworld Page, I can't really see what benefit there would be to hijacking that specific site, so I wonder if it's just a matter of data collection or proof of concept for a wider hack.

Working in the website hosting biz, we've seen several WordPress (and similar CMS) attacked exactly as Merc describes. It's not a targeted attack usually, just a spider looking for vulnerable WP installations. Malicious PHP is added to existing legitimate scripts or new PHP scripts are added to the site. This provides a back door for malware and also generally persists across updates, keeping the site infected even if the original vulnerability has been patched. The malicious code generally looks at the referrer and if the user came from a popular search engine, the code goes into effect. If the user reached the site without a referrer (e.g. typed it in or bookmark) the code lies dormant. I'm not sure the reasoning for this logic - my guess is to avoid detection.

I think it's pretty clear from everyone's comments that this website is infected and that contacting them was the right thing to do.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Thanks Blake. The owners of the business (and website) are several degrees removed from me. I've passed on the info to the acquaintance closest to me; haven't heard back. How seriously they'll take it is anybody's guess.
 
Top