Am I experiencing something, or is a site a victim...

[Lovecraft]

...of some sort of DNS hijack?

I wanted to remind myself of the link to the e-book reader Ubook, so obviously I typed it into Google. The first result is its official page, www.gowerpoint.com. However, if I click that, a random page, usually of a fake "virus scanner" or a Russian pseudo-porn site opens. The same happens with YahooSearch results. Curiously, if I disable referer, the page that opens seems to be the actual Gowerpoint.com.

Is anyone else experiencing this, meaning that (I assume) gowerpoint.com is a victim of some sort of URL hijacking attempt, or is there (gulp) something lurking on my system...? (Rootkit scans show nothing, the browser - Firefox - is in a sandbox)

[Lovecraft]

Curiously, too, clicking the www.gowerpoint.com link in the above message seems to open the proper page. The bad pages seem to only open from Google & Yahoo. I've tried several other terms to see if it's me after all, but all other searches open the proper target pages... only "ubook" results in the bizarre fake link.

[Rmus]

Can you post a screen shot of the search page?

thanks,

----
rich

[Lovecraft]

http://img220.imageshack.us/img220/2327/bbbne8.jpg

My own hosts file is also clean.

[Rmus]

Could you post a larger image?

Meanwhile, that site does not load here from Google nor Yahoo if I enable refererrer logging.

----
rich

[Rmus]

OK, thanks.

See this article, where the Google page is injected with bogus URLs. This doesn't seem to be related to your situation.

Troublesome Google hijacking - redirects results through 7.7.7.0
http://madmarvonline.com/blog/2009/0...-through-7770/

Since the page no longer loads from the search engine with referrer logging enabled, a good guess is that the russian site is not working.

But not enough information is available to determine if this is related to the old Goggle referrer exploit.

----
rich

[Rmus]

The exploit is now working again from Google. With the firewall set to alert, we can follow the steps.

First, the connection out to gowerpoint.com:

Then the first redirect to a russian site. Note that gowerpoint.com still shows in the status bar>

Now, another redirect:

And finally to the bogus antivirus site:

This is a classic Referrer exploit and the webmaster for gowerpoint.com needs to be notified.

----
rich

[Lovecraft]

Ah, I was suspecting something of the sort... thanks.

[Rmus]

I contacted the web site and the owner responded that he was not aware of this problem. But he has been looking for a new hosting company for a while because of some other issues, so plans to change soon.

Some of you may remember the SloanTreeFarm exploit a while back, discovered by noway - there was a long thread on it here. The owner of the site joined in the discussion and it was finally determined that it was a problem at the hosting company.

Evidently, as with XSS and SQL injection, there are tools that let hackers determine where vulnerabilities are. Once identified, it is rather easy to create the exploit.

----
rich

[EASTER]

This exploit is being forced onto unsuspecting hosting companys as well as their customers websites are being laced with those type exploits because i have randomly run into that AV 2009 rogue page many times in the past 3 months alone without the owner knowing they been hacked with it.

And oddly enough those creeps are targetting the highest Google ratings for maximum distribution of their sneaky garabage exploit. So be on the watch even when innocently googling because this is epedemic right now and when one website fixes it they look for others to infect.

EASTER

[Lovecraft]

I do hope a permanent solution against this is found, because the scum could easily use this method in an infinitely more dangerous way (which I better not suggest here )...