|
I fell away because I find a lot of content in the lounge to be uninteresting now and the forums are slowly stultifying. QA is a mess, albeit not as bad as StackOverflow, but people don't come here as a first choice anymore. I'm on a Facebook Xamarin group and people are advised to go to SO - a lot of the people advising this haven't heard of CP and, when they come here, they come back unimpressed. Still, at least there are some great articles; granted the number of crud ones means that I get to spend more time going through a back catalog of good ones, but occasionally a gem makes it through.
This space for rent
|
|
|
|
|
I have a friend that has a web site for his business. In the least couple of weeks, when you google search the domain name "twotenperformance", the first link in the search results shows up as "www.twotenperformance.com", but the description of the link is for cheap chinese sports jerseys. When you hover over the link, it shows what you'd expect (www.twotenperformance.com), but when you click it, it takes you to "http://www.jerseyssupply.top/#www.twotenperformance.com" (note the end of the url).
If you actually type in the "twotenperformance.com" domain name in the address bar, it takes you to the appropriate site.
I've tried this on several computers, a couple of phones, and an ipad, so it happens in all browsers (Chrome, FireFox, IE, Edge, and Safari) on all operating systems, and in the all search engines (Bing, Google, Yahoo) I've tried, so it's not a virus on the given machine.
I've never seen anything like this before.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
It will be the clever spammers manipulating the robots to drive traffic to their sites.
It is a pain in the hoop. Bings annoncement last week appears to be the search engine trying to minimise these poor results and limit exposure to consumers. I was in a hurry one day trying to fix my daughters laptop and got hit by one of these bogus links (it was for Google Chrome) and ended up installing malware on the machine.
|
|
|
|
|
Hey, it could be worse.
A friend of mine looked up Dick's -- a sporting goods store in the US -- and was taken to all sorts of p0rn sites!
|
|
|
|
|
Without the .com, it's probably taken as just being a word, so the top result will be the site that uses that word and is updated most, has the most linkbacks, etc. -- and a Chinese clothing store is likely to get a lot of hits, so rank highly in the predictive routines.
If it's a site you've visited before, though, the browser's autocomplete should offer it while you're typing the "word".
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
That makes no sense. Go back and read what I observed, especially regarding the appending of "#twotenperformance". It even does this if i type the name of the business "Two Ten Performance". I ain't buying the more link-backs theory. It looks like an intentional redirect, although I have no idea why. It's a local shop that gets a modicum of local traffic.
After giving it some thought, I suspect it might be a side-effect of them using ebay to sell used parts, and someone is scraping domain names from seller contact info.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
modified 22-May-16 11:42am.
|
|
|
|
|
That can't be it. E-bay doesn't allow addresses in the ads, so the only way to get an address is by buying something.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
You can find that sort of thing in spam emails.
On the surface it appears to be the ligit site but in the code tels a different story.
I thing the "#" makes it ignore anything after it.
I looked at the links from google and didn't see the redirect so it may be on the page itself.
I'll look at the source.
|
|
|
|
|
If you go to the desired url, it shows up fine. This only happens when you use a search engine, which tells me the site itself is fine.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
I have a packet capture doing it both ways there is a strange "Jump" when using google.
I'll have to research how this is done.
|
|
|
|
|
Here is the redirect.
Full request URI: http://jbfly.win:7711/jump.do?url=http%3A%2F%2Fwww.twotenperformance.com%2F
I would say it is probable that the site was compromised and it is redirecting depending on the referer.
Google if linked from google, none if direct url input, possibly some other site depending on what it's refer string was.
They need to check the backend scripts and any extra admins added.
I would say the "#" in this case is a way so it dosent go to that site after but tells the site where it going who the infected site was.
|
|
|
|
|
I checked all of the javascript, and I didn't see anything suspicious.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
it is something on the back end that is not showing up on the page we view thru the browser.
The referer is the site name not google for the redirect.
you would need to log into the site and look at the code behind.
|
|
|
|
|
|
If you have access to the site see what this is
"url=/nojavascript.aspx"
it is in the head tag at the top of the normal page.
I don't know if that is normal to put that there or not.
|
|
|
|
|
That's something that allows the site to react to someone that has javascript turned off. It displays an error page in that case. Nothing nefarious about that.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
I just wasn't sure if the code was changed or that was a secion that they did not add, i've seen several redirect scripts using the "No Script" tag.
|
|
|
|
|
Just droped this into google search and only got 1 hit.
"http://jbfly.win:7711/jump.do"
Views better In Google Chrome
There are to many pages and scripts to go thru by hand.
Perhaps this will give some ideas.
|
|
|
|
|
Here is a link to an article that explains how the redirect could happen.
[^]
I hope that helps them.
|
|
|
|
|
ledtech3 wrote: I thing the "#" makes it ignore anything after it. The hash is a goto, which should redirect you to an anchor on the same page with the ID "twotenperformance.com", which it hasn't got, so it defaults to the top of the page.
I can't see where this is happening. It's unlikely to be in twotenperformance.com's back-end, because the site redirected to appears to be a genuine merchant site, which would be unlikely to breach hacking laws.
There's nothing in the source of the redirect destination page that looks particularly suspicious (and it's identical to the source of the index.html file at the location).
Likewise in the search-engine page source (but it's probably too late to see anything, by the time the page has loaded).
Beats me.
Looks like some marketing moron has found a loophole in search-engine code/protocols.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
if you check some links on the page it lands on they are listed as malicous.
the referer for the redirect in my packet capture is the normal host name not google like you would think.
|
|
|
|
|
Just found some Interesting pages in my temp folder running a special string searcher I built.
I just have to figure out where they came from.
They contain the redirect script information.
Edit:
These turned out just be my searches for the string ingoogle and bing.
It also redirects using bing also.
modified 22-May-16 16:12pm.
|
|
|
|
|
I've tested a few other links it it only appears to be the main page.
By the traffic it appears something is checking the referer for that page.
Not sure what else it could be with out being able to view the the site code.
|
|
|
|
|
Is your website hosted by Arvixe?
Some unhelpful web experience with Arvixe happened recently...
Google Groups[^]
check for "bot.php" file on root, or a hacked Web.config
|
|
|
|
|
Yep, this was it. Someone hacked a server and installed a couple of files that redirected, modified the web config, and added an ftp account so they could go back in and do it again.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|