Delisted from Google's blacklist, but still has "Reported Attack Page" in Firefox 18.0.1
A site of mine was delisted from Google's blacklist, but still has "Reported Attack Page" even though I have updated to Firefox 18.0.1. (Refer bug 820283 - https://bugzilla.mozilla.org/show_bug.cgi?id=820283)
الحل المُختار
This looks like an issue with the referrer.
It doesn't happen if the referrer is disabled, so it looks that your server is still infected and redirects if it detects a Google referrer.
Forcing the referrer to Google and force a reload already causes the redirect. http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my
You will have to contact the hosting company to look into this.
http://mj.edu.my/ GET / HTTP/1.1 Host: mj.edu.my User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my%2F&ei=zYkHUcn7BO-k0AXS1oCwBg&usg=AFQjCNFk9gMFEWhR1Sb6huleXTJlop0lOw Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn Connection: keep-alive HTTP/1.1 302 Moved Temporarily Server: Apache X-Powered-By: PHP/5.2.17 P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Location: http://0001.2waky.com Content-Length: 0 Keep-Alive: timeout=3, max=10 Connection: Keep-Alive Content-Type: text/html
http://mj.edu.my/ GET / HTTP/1.1 Host: mj.edu.my User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn Connection: keep-alive HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.17 P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: s5_qc=3416a75f4cea9109507cacd8e2f2aefca4xn Last-Modified: Tue, 29 Jan 2013 08:37:43 GMT Keep-Alive: timeout=3, max=10 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8Read this answer in context 👍 0
All Replies (8)
The site is http://mj.edu.my, if it's important. What can I do about it?
Thanks all in advance.
Works fine here with Firefox 18.0.1
Try to set the Integer pref urlclassifier.max-complete-age to 0 on the about:config page.
Modified
Hi cor-el, many thanks for your reply. Still prevalent after trying at my side... let me elaborate more, this does not happen if I directly load the site. It only happens if the site is searched from Google (google.com.my) with keywords "Minda Jaya Language Center".
As mj.edu.my is listed at the top of search, once clicking it redirects to the attack site. Doesn't happen in Chrome and IE, and the site is confirmed safe to browse by Google Diagnostics. Hmmmm.....
الحل المُختار
This looks like an issue with the referrer.
It doesn't happen if the referrer is disabled, so it looks that your server is still infected and redirects if it detects a Google referrer.
Forcing the referrer to Google and force a reload already causes the redirect. http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my
You will have to contact the hosting company to look into this.
http://mj.edu.my/ GET / HTTP/1.1 Host: mj.edu.my User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my%2F&ei=zYkHUcn7BO-k0AXS1oCwBg&usg=AFQjCNFk9gMFEWhR1Sb6huleXTJlop0lOw Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn Connection: keep-alive HTTP/1.1 302 Moved Temporarily Server: Apache X-Powered-By: PHP/5.2.17 P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Location: http://0001.2waky.com Content-Length: 0 Keep-Alive: timeout=3, max=10 Connection: Keep-Alive Content-Type: text/html
http://mj.edu.my/ GET / HTTP/1.1 Host: mj.edu.my User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn Connection: keep-alive HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP/5.2.17 P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: s5_qc=3416a75f4cea9109507cacd8e2f2aefca4xn Last-Modified: Tue, 29 Jan 2013 08:37:43 GMT Keep-Alive: timeout=3, max=10 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8
Many thanks for the information, I will provide updates once I get any response from the hosting team.
You're welcome.
Update: I have managed to find a few more files that were still infected, which has codes that redirects to the attack site if it's a search engine referrer (thanks cor-el). Now the problem no longer exists. Thanks!
You're welcome