My site is hosted with Clook Internet. I contacted them yesterday evening and they immediately started investigating the problem and stated
I am also receiving all emails related to the suuport ticket raised by the other affected site, who believes the problem is server related:
The responses since this from the hosting company have been:
and when questioned on what changes the answer given was:
I would be much happier if they had actually found a cause and eliminated it.
"The server itself hasn't been compromised, but we take the matter seriously and are looking at it as a priority issue."
Good afternoon
I’ve been asked by ***** *****, the webmaster at www.********.co.uk to contact you with regard to a problem he has been having with users being redirected to a site which tries to install malicious code onto their systems.
Initially it was alleged that it was the software he was running that was the cause of the problem. This software was reinstalled from ‘known good’ sources and the problem remained.
Having been in touch with a number of other webmasters who host on this server it appears that some of them are experiencing the same problem (****.co.uk and golfteewarehouse dot co dot uk).
Further testing last night leads me to suspect it is the server that is compromised and not the individual sites.
I attempted to browse to a script that is designed not to be browsed by users and if browsed to just puts up a one line text message – this message is the 1st line of code in the script. The first time I browsed to this URL I was instantly redirected to the malicious site. This would suggest to me that http requests are being redirected by something that has infected Apache or PHP and is nothing at all to do with code on the site per se.
This problem may have significant financial repercussions for ****.co.uk as the site is largely funded by Google Adsense and it is only a matter of time before the Google spider comes along, gets redirected and the site gets blacklisted.
I urge you to look at this problem as a matter of urgency and we look forward to your comments.
I’ve been asked by ***** *****, the webmaster at www.********.co.uk to contact you with regard to a problem he has been having with users being redirected to a site which tries to install malicious code onto their systems.
Initially it was alleged that it was the software he was running that was the cause of the problem. This software was reinstalled from ‘known good’ sources and the problem remained.
Having been in touch with a number of other webmasters who host on this server it appears that some of them are experiencing the same problem (****.co.uk and golfteewarehouse dot co dot uk).
Further testing last night leads me to suspect it is the server that is compromised and not the individual sites.
I attempted to browse to a script that is designed not to be browsed by users and if browsed to just puts up a one line text message – this message is the 1st line of code in the script. The first time I browsed to this URL I was instantly redirected to the malicious site. This would suggest to me that http requests are being redirected by something that has infected Apache or PHP and is nothing at all to do with code on the site per se.
This problem may have significant financial repercussions for ****.co.uk as the site is largely funded by Google Adsense and it is only a matter of time before the Google spider comes along, gets redirected and the site gets blacklisted.
I urge you to look at this problem as a matter of urgency and we look forward to your comments.
I've made some changes, please let us know if you get any further reports of this?
I've updated apache+php to the latest versions and checked to make sure nothing is trying to run as/on httpd
Comment