Opened 3 years ago

Closed 3 years ago

#11525 closed Bug/Something is broken (wontfix)

"site hacked" in google

Reported by: Jennifer Tong Owned by: JaimeV
Priority: Urgent Component: Tech
Keywords: Cc: Jamie McClelland
Sensitive: no

Description

Several pages on jubileeusa.org are marked as possibly hacked when you search by google. The website itself appears to be clean, but at intervals people clicking on links generated by search engines are redirected to a Canadian pharmacy. We had a similar problem two years ago, and updated our CMS (typo3) to fix it. Reaching out to contractors who work with our CMS now, we were told that the problem is server-side. We need help immediately getting this fixed. Thanks! Please reach out to me with any problems at at greg@…

Change History (4)

comment:1 Changed 3 years ago by JaimeV

Cc: Jamie McClelland added
Owner: set to JaimeV
Status: newassigned

Sorry for the delay. We've been very busy the last few days.

I've scanned your site for suspicious files and don't see anything that stands out however when I search for the most common web requests I see a cialis reference. Searching for your site on google with cialis reveals a number of pharmacy links.

0 stone:~# mf-web-hits-by-request /home/members/jubilee/sites/jubileeusa.org/logs/web.log | tail -n2
     65 GET /cialis/ 69.195.140.66
   6086 GET /index.php?id=259 209.51.180.237

The most common request comes from the server's ip. That seems out of the ordinary. I see some problems with file permissions. You have some files and folders with 777 permissions allowing any user on the server to write to them. I can help fix that for you if you like. I don't see evidence that files were written by other users yet.

I am not familiar with the typo3 cms but I think your database should be further examined to ensure these pharmacy links are not somehow inserted directly in the database. Can you have your web developer contact us and explain why they think this is a server configuration issue?

Also CC'ing jamie here.

comment:2 Changed 3 years ago by Jamie McClelland

If the web developers can give us direction on what server configuration changes they think should be made to improve security on the server, we would be happy to make those changes. However, I agree with Jaime - this looks like a regular web site compromise.

comment:3 Changed 3 years ago by Jennifer Tong

Thanks for looking into this. We asked someone else to look at our database again, and update our cms and he didn't find any corrupt files or compromises before or after the upgrade which led him to assume that it was a server-side problem. If you'd like to email me I can put you in direct contact with our developer: greg@…. Thanks

comment:4 Changed 3 years ago by JaimeV

Resolution: wontfix
Status: assignedclosed

Closing, this is related to #11845 and #11889

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.