Redirect from RB site in Google searches?

[KingOfPain]

Nathan is on leave of absence. It was gracious of him to stop by and look, and provided me with some advice. I must say they look all geek to me, and looks like I need to dig deep. What I have to remove is hidden all over the VB scripts as you suspect. I'd also need to upgrade to the latest patch once it's done.

I am sorry to say it is going to take longer then it needed be because it looks over-my-head and I am having some eye issues that I can't spend extended amount of time reading text...

[Kylearan]

Hi KoP,

it's okay if it takes some time, as long as it's done at all. Many webmasters simply don't care which plays right into the hands of the criminals, so thanks for doing this.

[T-hawk]

Are there any offline backups of the code that you can restore from? I had the same thing happen to my site at http://www.dos486.com, something got access and injected malware links into all the HTML files. I recovered from that by re-uploading from my clean local copy.

[fantasticsid]

Sorry to necro a month old thread, but since the problem's still ongoing (well, insofar as the redirect's still happening, although admittedly "twowayserf.com" no longer exists, so it's more a problem of style than function now) I figured I'd chime in with my 2c.

These "twowayserf" tools seem to operate by taking advantage of bad filesystem permissions to upload busted .htaccess files which use mod_rewrite to 302 a user based on his referer (you knew this already I assume.) Based on some other poor bastard's report here it looks like it triggers on a bunch of search engine URLs in the Referer: field (99% of that guy's .htaccess is making sure that the user-agent in question is actually a browser, by the looks.)

In a nutshell, I'd suggest that the 10 second fix is to disable .htaccess globally for the RB vhost in your apache config. Having said that, VBulletin may well need .htaccess for legit functionality, so you could also try disabling mod_rewrite for RB, which would also do the trick.

If you have shell access to the machine RB's hosted on, you should be able to do something like "find . -name .htaccess -exec sed -ie 's/^Rewrite/#Rewrite/' {} \; " from RB's webroot, which will comment out any mod_rewrite invocations within htaccess files, while having no other side effects.

Of course, to prevent a recurrence of this issue you'll likely need to figure out how they suborned your .htaccess files in the first instance.

Again, apologies for the epic thread necromancy, but I figured my 2c may be useful to somebody. Feel free to ignore the noob/tell me to GTFO.

[Ilios]

Sorry to necro a month old thread, but since the problem's still ongoing (well, insofar as the redirect's still happening, although admittedly "twowayserf.com" no longer exists, so it's more a problem of style than function now) I figured I'd chime in with my 2c.

These "twowayserf" tools seem to operate by taking advantage of bad filesystem permissions to upload busted .htaccess files which use mod_rewrite to 302 a user based on his referer (you knew this already I assume.) Based on some other poor bastard's report here it looks like it triggers on a bunch of search engine URLs in the Referer: field (99% of that guy's .htaccess is making sure that the user-agent in question is actually a browser, by the looks.)

In a nutshell, I'd suggest that the 10 second fix is to disable .htaccess globally for the RB vhost in your apache config. Having said that, VBulletin may well need .htaccess for legit functionality, so you could also try disabling mod_rewrite for RB, which would also do the trick.

If you have shell access to the machine RB's hosted on, you should be able to do something like "find . -name .htaccess -exec sed -ie 's/^Rewrite/#Rewrite/' {} \; " from RB's webroot, which will comment out any mod_rewrite invocations within htaccess files, while having no other side effects.

Of course, to prevent a recurrence of this issue you'll likely need to figure out how they suborned your .htaccess files in the first instance.

Again, apologies for the epic thread necromancy, but I figured my 2c may be useful to somebody. Feel free to ignore the noob/tell me to GTFO.

I have no idea what this means, but it sounds pretty clever, so I suggest we do whatever he says.

[Qgqqqqq]

just bumping because im pretty sure this is not fixed. ifim right it should probably be sticked to

[Atlas]

Still getting this problem, searching from Yahoo fixes the search result problem.

[Jtm]

The problem is still present. Seemingly every hundredth or so click goes to following url:
url: twowayserf.com/cgi-bin/r.cgi?p=10003&i=db89d4dd&j=320&m=355730b2230e946f310ab6f79c1ea293&h=realmsbeyond.net&u=/forums/forumdisplay.php&q=f=56&t=20120903032943

I do not believe this is search engine issue. I believe the entry point to Realms Beyond forums is somehow infected. I'd suggest admins check serverside for infections and unknown routines. There are malicious programs that only redirect every tenth or even every thousandth entry. They hide by doing this redirection statistically so rarely that people think it is not worth mentioning and investigating.

[Kylearan]

Hi,

The problem is still present. Seemingly every hundredth or so click goes to following url:

Could you (or a mod) please edit your post so that the URL is not clickable? Otherwise people might accidentally click on it and infect themselves.

Thanks!

-Kylearan

[plako]

I joined the long list of people accidentally being redirected to twowayserf from google link. My virus protection didn't block the site and virus scanning my computer doesn't seem to bring any hits. So does anybody really know what this site really tries to do and should I be worried?