#1 2016-12-12 17:08:36

wernfried
Member
2012-01-21
84

Get some fake links in my Homepage

Hello,

I have s strange problem with my homepage. When you open the page as given below, everything is fine. Now, when you enter "wernfried domscheit" in Google you get first hit showing

Homepage von Bea und Wernfried Domscheit -//:---\spam sildenafil 100mg kaufen. Albums preis für cialis 20mg · Ecuador 120 · Quito und Hochland 34 · Regenwald ...

I am not selling drugs, I just like to show my pictures. Apparently Google Cache has a different content than my actual homepage has. You can open the cached side with this URL: Google Cache of www.domscheit.ch/piwigo from 8. Dez. 2016 01:39:05 GMT

Somehow (I don't know how) the main page got some additional text. My initial idea was "Oh, somebody hacked the server of my web-hoster and manipulated my webpage. Hopefully they fixed it in the meantime."

The manipulated (i.e. Google cached) page contains these links:

http://www.domscheit.ch/piwigo/?q=69217
http://www.domscheit.ch/piwigo/?q=74012

If you open them, you are immediately redirected to "World Famous Pharmacy" page. I dumped my entire piwigo page and also the MySQL database but nowhere I found a sting "69217" or "74012".

Now, I like to find out whether this redirection is done by Piwigo or shall I contact the support of my web-hoster?

What happens if somebody puts q=69217 at URL parameters in piwigo.


Piwigo version: 2.8.3
PHP version: 5.5.38
MySQL version: 5.5.50-MariaDB
Piwigo URL: http://www.domscheit.ch/piwigo/


Best Regards
Wernfried

Offline

 

#2 2016-12-13 11:46:51

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13878

Re: Get some fake links in my Homepage

Hi wernfried,

This problem is very concerning. I've tried to send you an email, but it was returned "Recipient address rejected: User unknown in virtual mailbox table". Please contact me : plg /at/ piwigo.org

Offline

 

#3 2016-12-13 12:02:25

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13878

Re: Get some fake links in my Homepage

Hi again,

My "intuition" says that there is a .htaccess file in your Piwigo directory with some redirections.

The other possibility would be some code has been modified in your Piwigo, to perform these redirections.

As far as I can tell for now, it simply means somebody has access to your files. A hacked FTP access for example.

Offline

 

#4 2016-12-13 12:59:51

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13878

Re: Get some fake links in my Homepage

Actually, it's more than just redirections.

If you change your "user agent" to googlebot (ie simulate a crawl from Google), you are not redirected, but Piwigo shows you a page full of links to online pharmacy OR, on about.php some links to other websites modified with the same hack.

Next step for me is to have an access one of these hacked Piwigo to understand what has been changed.

I can't do it directly, because no Piwigo.com account has the problem, as far as I know.

Offline

 

#5 2016-12-13 14:02:38

wernfried
Member
2012-01-21
84

Re: Get some fake links in my Homepage

plg wrote:

Hi again,

The other possibility would be some code has been modified in your Piwigo, to perform these redirections.

As far as I can tell for now, it simply means somebody has access to your files. A hacked FTP access for example.

I don't think so, because as you can see in Google search many many webpages are affected by this problem. I doubt that a hacked FTP access occurs on so many pages and by coincidence they are all using Piwigo.

Best Regards
Wernfried

Offline

 

#6 2016-12-13 15:18:01

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13878

Re: Get some fake links in my Homepage

Can you tell me if your file include/functions_plugins.inc.php has been modified? search "create_function" in this file. Or maybe in other include/*.php files. Tell me also if you have a directory install/.upgrade full of encoded files?

Offline

 

#7 2016-12-13 15:50:34

wernfried
Member
2012-01-21
84

Re: Get some fake links in my Homepage

Hi

I sent you a mail with a link where you can download my entire webpage (without disc-consuming pictures)

I assume that is easier to analyze.

Best Regards
Wernfried

Offline

 

#8 2016-12-13 15:51:44

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13878

Re: Get some fake links in my Homepage

Thanks, I am anylizing it. I can already tell you it's the same hack and these guys don't want to be found : they did not push their code in the same directory...

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact