Some time ago I had a series of post about the .htaccess exploit that redirected search engine traffic to bogus Antivirus sites.
This sort of exploit is still very wide-spread. Many site owners wonder why Google blacklists their sites when their web pages are absolutely benign and sites mentioned on Google’s Safe Browsing Diagnostic pages have absolutely nothing to do with their site’s content.
Here is an excerpt from a typical Safe Browsing Diagnostic page for an affected site:
Malicious software is hosted on 5 domain(s), including best-antimalware-pro-scan .com/, fastantimalwareproscanner .com/, fullantispywareproscan .com/.
4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including module-antispyware .info/, securedradiostation .cn/, great-antispyware .info/.
When I see multiple antivirus-related domain names in the diagnostics, I almost sure the site has a hacked .htaccess file that redirects search engine traffic to scam sites. Still I need to verify my guess.
The easiest way is to use a web browser. Just go to Yahoo and search for the domain name. Then click on the site’s search results. (You can’t use Google because it won’t let you click through the blacklisted links.) If the assumption about the .htaccess hack is correct, you will land on some bogus antivirus site or on a porn site.
While this detection technique works well, it’s not desirable to use it in real life. It is very unsafe. You expose your own system to unnecessary threats browsing the malicious sites.
Unmask Parasites used to be the safest and the easiest way to detect malicious redirects. Unfortunately the current modification of this exploit is poorly detected by Unmask Parasites (I’m working on the update) so I’ll show how to use another free tool called wget.
I’m using wget because:
Here is the wget command that you can use to reveal hijacked search engine traffic:
wget --referer=http://google.com "http://www.example.com/"
This command downloads a web page from www.example.com (replace it with your own site address).
The –-referer option sets the Referer header in a HTTP request. It makes the www.example.com web server think that a user clicked on a link on the referer site to get to the www.example.com site. In our case we use –-referer=http://google.com to simulate a click on a Google’s search result. Alternatively you can use –-referer=http://yahoo.com to simulate a click on a Yahoo’s search result.
If this request gets redirected, you will see responses (301 or 302) with new locations in the command log.
Here is a sample wget log of one hacked site (I replaced its address with www.example.com):
>wget --referer=http://google.com "http://www.example.com/"
Resolving www.example.com... done.
Connecting to www.example.com[216.193.xxx.xx]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://spyware-software .info/0/go.php?sid=2 [following]
--01:47:55-- http://spyware-software .info/0/go.php?sid=2
Resolving spyware-software .info... done.
Connecting to spyware-software .info[126.96.36.199]:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://tubeloyaln .com/scan/?id=260 [following]
--01:47:55-- http://tubeloyaln .com/scan/?id=260
Resolving tubeloyaln .com... done.
Connecting to tubeloyaln .com[188.8.131.52]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 15,987 8.86K/s
01:47:58 (8.86 KB/s) - `index.html@id=260.1' saved 
You can see a chain of 302 redirects here: www.example.com -> spyware-software .info -> tubeloyaln .com
The names of the malicious sites used in this chain change almost every day, so most likely you’ll see the sites that doesn’t match the sites mentioned on the Google’s diagnostic page. Still the domain names are very similar: e.g. spyware-software .info vs. module-antispyware .info
In this example, instead of the home page of www.example.com wget downloaded a fake “My computer Online Scan” scam page from the tubeloyaln .com. If you remove the –-referer option from the wget command, you’ll get no redirects and the real home page of the www.example.com site will be downloaded.
If you detect the malicious redirects, check this article to find out how to resolve the issue.
Hope this little trick will save your time.