Sunbeltblog comments
Funny you should bring this up, over the weekend I had the same instances except looking for some things for my son to color. Suzi knows all about it too, at a back room forum we discussed it.
I posted files and explained what I was doing, wondering if Google ought to be alerted.
Seems these guys keep getting smarter and smarter. Lets face it, from a home user standpoint, who needs access to .cn domains? Block 'em all.
>>I posted files and explained what I
>>was doing, wondering if Google ought >to be alerted.
They have been.
I think this may be due to massive spamming of these sites' URLs to blogs (comment/trackback spam), forums, guestbooks, and possibly links on hacked websites. In the sites TeMerc had mentioned, there was evidence of this on Google when searching for those .cn domains.
The .cn sites are no longer coming up on the Google searh results, at least for me.
They still come up in my results:
http://www.google.com/search?
hl=...G=Google+Search
(obviously don't click on those pages)
Wow they even beat out "experts-exchange" . . .
I'm scared of search engines now.
> from a home user standpoint, who needs access
> to .cn domains? Block 'em all.
Good point.
i have seen this over a month ago this is not a new phenomenon
maybe, but these many of these domains are brand spankin' new.
Good job!
LOL!
When I entered to one of the links I saw this picture:
http://img91.imageshack.us/
img91...framelolbp4.jpg
I thought-DAMN! Dead pixel!
Then I swiched to other tab and..gone!
Then I figured how lame the IFRAME is...lol
Interesting post...but clarification needed on the mechanism behind these search results. How does the 'seeding' take place?
I hereby request Google renames they "I'm Feeling Lucky" button to "Goodbye, Cruel World" button.
I agree with nhoffmsn; this is going on for around six months now. No matte what you enter, these sites will show up. The only thing to do is to add "-.cn" to the search criteria, as in:
http://www.google.com/search?hl=....cn&
btnG=Search
BTW: A dead give away for these sites is their summary, which clearly makes litle to no sense:
We will vpn reasons for using paper towel germination technique watchguard vpn disconnected applications winter break vpn discussion board ? ...
and
Must set watchguard vpn disconnected applications short sophisticated haircuts types of vpn connections pc flash media reseaux champs sur marne windows ce ...
Now, even with not "randomized" web sites such as these, you may find garbage like this in search results.. IMO sites like these should be avoided like the proverbial plague as well!
One of the sites I found redirected to a site advertising a rogue antivirus program (I think it was AntiVirusPro). I also got the Video Access ActiveX popup.
Are there any zero-day exploits involved? Can fully patched systems become infected?
I've also been redirected to an advertising site called lookuplive.com, not sure if this one uses exploits or not.
Search for any random set of four common words in conjunction with [site:cn], and you'll find dozens, perhaps hundreds, of these suspicious domains. For example:
http://www.google.com/search?
q=s...tney+window+cat
I'd bet that running a bunch of similar searches would yield many thousands of these domains! (But I hope that by the time anyone has the chance to try this idea, Google has already purged the domains from its index.)
I want to strongly caution everyone NOT to click on these links. There's sploit code in there...
Looks like Google is extensively filtering now; the examples you used (with the exception of Scott's) won't bring any .cn domain in the top ranking sites; Scott's search on four valid, yet unrelated, words will still bring up a wagonload of Chinese sites, but then... he requests sites in China, so that was to be expected 
I checked those keywords now and actually many malicious sites are gone.
Well , the cranks fiddling the search results thankfully haven't found any way to make their results look like they come from a real site.
Not sure if it's more hilarious seeing prompts for ActiveX control downloads in Firefox!
I could go there and nothing would happen because I use Opera. Why not test your broser for vulnerability here: http://bcheck.scanit.be/bcheck/stats.php
But then, I really wonder, why Sunbelt as security company have not found out about this long-standing phenomenon 2 or 3 years ago? How much profit is in it for you by exposing this old threat now I wonder?
Anonymous, just what the heck are you talking about? SEO work by criminal gangs is not uncommon, but something on this scale? Please.
Uhm... funny... If "Anonymous" really uses Opera and disn't see any of the examples posted here originally... then there is something wrong.
I am on a *nix system and use Opera exclusively and, when posted here, I clearly saw these malicious sites, period!
Trolling attempt?
en...it's the old spam, right? I remembered two years ago, there are many cloak like this in Google especially China.
I have a new twist on this which I haven't seen before.
We have our website, along with several of our customer's sites, hosted on the same physical server which is co-located in Texas. If you type the URL directly into the address bar, you will reach the intended destination. No malicious redirects occur.
However, if you search for that domain using either Google, MSN, or Yahoo, the search results appear to be correct. And here's where it gets interesting. Clicking on the search results redirects you to a malicious page! The malicious IP address was tracked to The Netherlands.
Fortunately for me, I use the latest Firefox and it immediately blocked access to the malicious site (in a very reassuring RED screen.)
I double-checked my javascript settings to make sure that the "Allow scripts to alter Status bar text" was unchecked. Hovering over the search result link points to the right address. Copying the link location and pasting into notepad also confirms the correct address. Pasting the link into a new tab, goes to the correct site without the malicious redirect. It's only when you click on the search result that a redirect is attempted.
Has anyone seen this behavior before?
Further info: nslookup returns the correct IP.
Update:
A colleague analyzed the HTTP traffic from a remote location. It appears that the server has been compromised. The exploit appears to not be triggered when one types the URL directly into the address bar. It has nothing to do with the search engines after all.
This sucks.
I don't know who's doing it if ever i found out & if they have a physical place to go there would be a few nasty words over the phone followed by a baseball bat to their admin offices.I'm sure that i'm speaking for the rest.Wer'e fed up with the crap that's coming over the internet.Even though i have the latest antivirus /malwareetcprotection.
My problem is every time you do a search before you get to your result something hijacks it & brings up something else eg yahoo.com
An hour ago, I hit this google search link (see below) whereupon my firefox browser was immediately hijacked. The window showed what looked to be an explorer file directory and a dialogue box showed a program being downloaded, while another dialogue box wanted confirmation of something or another - it was a bit of a blur. As was my reaction, where I immediately hit the close x button and then I got this odd looking 'are you sure you want to do this' dialogue box. So I said screw that and went to task manager and shut down the browser using end task. I reported this using firefox's "report web forgery" link - don't know if it will help... Google should not be listing malicious links!
link killed by siteowner
Edited By Siteowner
Follow up:
Ok, it happened again today. This time I didn't panic and got some more information that should be useful to know:
1. I googled "CBS Tennis Blog" (different from yesterday, tho related) and I hit the first link given to me. This again took me to the same malicious site as yesterday.
2. The offending url is: my_secured_system.net (minus the underscores).
3. According to www.malwareurl.com, it says: WARNING: All domains/IPs listed on this website should be treated with extreme caution.
Some of them will automatically infect your computer.
It is completely unacceptable for Google not to do its own SiteAdvisor-like warnings given it's the premier search engine in the world.
Bottom line: BE AWARE!
Yeah, see that. It's horrible. But not surprising given how much SEO poisoning is going on...
Commenting by HaloScan
