Google Search Result Redirect Page Hijacked For NodeSummit

cleverjake · on Feb 11, 2012

I dealt with this a lot at a hosting company I worked for. This is almost certainly a .htaccess file that is set to only redirect based on referrer. It is normally under several hundred blank lines, to make it look empty to the casual observer.

pooriaazimi · on Feb 11, 2012

It can't be.

I can't access the linked url (it's https: http://news.ycombinator.com/item?id=3575029), but as far as I remember, if an HTTPS page links to (or redirects to) another page that is not on the same domain, the HTTP REFERRER field will be empty.

dchest · on Feb 11, 2012

Google's redirect is not an HTTPS link, so it sends referrer (see my comment below).

travisglines · on Feb 11, 2012

Click the top link (NodeSummit)

The Google redirect is landing on a page with malware by the looks of things.

Edit: Picture of the page it redirects to ...

http://i.imgur.com/EgwKs.png

dchest · on Feb 11, 2012

Nodesummit.com is hacked, not Google. Redirect is active for referrer:

    curl --head --referer 'http://www.google.com/url?{...cut...}' http://nodesummit.com
    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 11 Feb 2012 00:32:36 GMT
    Server: Apache/2.2.9
    X-Powered-By: PHP/5.2.17
    Location: http://costabrava.bee.pl/
    Vary: User-Agent,Accept-Encoding
    Content-Type: text/html

pooriaazimi · on Feb 11, 2012

Why '302 Moved Temporarily'? Wouldn't '301 Moved Permanently' serve hacker's purpose better?

travisglines · on Feb 11, 2012

Ahh good call, I was thinking it couldn't be Google ...

indexzero · on Feb 11, 2012

We (nodejitsu) sponsored NodeSummit, but have no control over nodesummit.com. I have reached out to Charles Beeler (the conference organizer) to make him aware of the issue.