I hope it's okay I'm posting this here - I wasn't sure where to post it - but I'm totally preplexed!!!

I just spoke with my Brother-in-law on the phone, he called me because he was on my Web Midwife site. I had a bulleted list in the middle with all the options I offer - and one of them was "Complete Web Hosting Packages" - well he said everytime he clicked on it he was taken to a completely different site, offering web hosting packages, but with a different look, different prices, different shopping cart.

I was horrified because I didn't put a hyperlink on that bulleted list - AND I couldn't see the hyperlink at all on my computer. He said that the browser still said http://www.webmidwife.com - but that the bottom part had a different name - and the site was totally different. So this leads me to believe that someone has either somehow gotten on my site and duplicated it to theirs - OR he had some type of sypware on his hard drive that took certain keywords and redirected to another site while masking the current site in the browser address window.

Is this possible????? And now I'm wondering how many of us have this happening and we don't have a clue?? This is horrifying - because I really try to cultivate new clients/customers, and to think that someone is stealing them right out from under me - it's a horrible thing to do!!!

I changed my home page and now the hyperlink is gone, according to my BIL - what's the freaking internet coming to????

Thank you for letting me vent - but I thought you all would like to know this too, as this could affect all of us in one way or another.

Wow that's really bad that it happened to ya. I really hope that it quits happening. Someone must be hacking into your server and messing with you.

It's not spyware. Spyware can be rid of with http://ejrs.com/spybot

I hope you win the war against your hacker. Might wanna change to a more secure host.

Webmidwife --

It's hard to know just exactly what happened; however, I do know that if the URL was yours, there is only one place that the browser can attempt to go -- to the URL listed. Without going deep-tech, it's "how the net works." The following is the public record about the domain, "WEBMIDWIFE.COM." I "assume" that this is YOUR information. Since the registration is mid-cycle for the year, there is no recent renewal or potential lapse in renewal; therefore, it's unlikely that someone else bought your domain while it was lapsed. There IS a webmidwife.org registered; however, it's dormant and has an "under construction" type of page -- perhaps, your BIL failed to type the *.com and the browser autofound the *.org?

RTSDNS.NET = the server where the website is located, OR where the hosting is taking place. There CAN be a repoint from that server to somewhere else, which would keep YOUR URL in the browser and would go elsewhere. But, you would have to specially request this particular action with your WH company, either through a tech support phonecall or through an action in your control center with the WH company.


Please note: the registrant of the domain name is specified in the "registrant" field. In most cases, Go Daddy Software, Inc. is not the registrant of domain names listed in this database.

Registrant:
Beyond Fertility.com
P. O. Box 201
Heber Springs, Arkansas 72543
United States

Registered through: GoDaddy.com
Domain Name: WEBMIDWIFE.COM
Created on: 19-Sep-03
Expires on: 19-Sep-05
Last Updated on: 18-Dec-03

Administrative Contact:
Ramsey, Lori
Beyond Fertility.com
P. O. Box 201
Heber Springs, Arkansas 72543
United States
5013622858 Fax --
Technical Contact:
Ramsey, Lori
Beyond Fertility.com
P. O. Box 201
Heber Springs, Arkansas 72543
United States
5013622858 Fax --

Domain servers in listed order:
NS.RTSDNS.NET
NS2.RTSDNS.NET

There is a process called hijacking (http://www.cexx.org/adware.htm) and this link will take you (or your BIL) to a site that gives a good explanation of this particular type of malware (have to scroll down a bit). But, it will show the URL to the site that you've been hijacked to.

Hope this clarifies things a mite.

With Godaddy.com you can register privately and it may help reduce the spam by a bit. At $9 it's pretty reasonable.

PRIVATE REGISTRATIONS
Protect yourself from spam, scams, prying eyes and worse.
Only $9.00

Jeremy --

I just responded elsewhere in the Forums about public vs private for a business. I truly believe that if one is planning on operating a business, that part of one's credibility is to be public. Does it make me nervous? Oh yeah! But, I do think that it's critical information that is "technically" available to a potential customer if they know how to use whois.

I have to admit that I'm uncomfortable with being this public; however, it's part of the price of doing business on the internet. If I expect a total and complete stranger to spend their money with me, they have a right to know who I am as much as is feasible. If I ran a storefront, they could drop by and I'd only be dealing locally.

I think that making one's domain private is counterproductive to good business practices.

It was probably hacked into. I noticed that he uses Front Page Extensions and down toward the bottom there is some MSnavigation links (where the ToodleBug.com anchor is).

I am not an expert on any of this, but it seems to me that anyone can easily "publish" or update to your pages if they are not secured well. Since you have already taken down the bulleted list, I could not see how you actually had it set up. But my feeling is that someone may have access to your site right now and you may want to go over the security of it....or do away with the extensions altogether and not use them.

Also I do not know what this BIL is in reference to. But if that is your main go to guy or service, you may want to direct your questions to him/her/it. It is also possible that whomever did hack the site, is using some type of browser detection or detecting your particular IP address so that YOU will not see the links...but we can....n'est pas?

Brother In Law

Hmmm... I got some spam the other day offering to do just this kind of thing. It basically said you could select keywords, which when they came up in browsers with their particularly venemous software installed, would underline and make a hyperlink your keywords whatever page they appeared on.

The spam was image based, and opening it now their site has been taken down so I cant provide any more details sadly. I remember it very clearly though, it was offering to put some kind of brown underline under the words you chose. It stuck in my mind because I recently managed to get some spyware installed that inserted kanoodle results at the top of Google and Yahoo searches, was amazed at how it worked and just thought this was another variation on a theme.

Of course you could have been hacked, but it would be hard work for a hacker to do for just one website...

Hi Lori,

Sorry to hear that happen to you...
Hard to know exactly what happened, however, I would lean towards ronniethedodger's suggestion, that someone found an exploit, could be from FrontPage, and modified your home page.

we had the same if not similar problem about a year ago and inserted some code in the meta tags of all our pages that prevented this problem for us. Here it is:

<meta name="MSSmartTagsPreventParsing" content="TRUE">

Good luck!

we had the same if not similar problem about a year ago and inserted some code in the meta tags of all our pages that prevented this problem for us. Here it is:

<meta name="MSSmartTagsPreventParsing" content="TRUE">
Although there are certain similarities in the way the link has been "hi-jacked" with those of Smart Tags. The rest of the description, that the 'linked' page had different content, yet shared the same address would seem to point to the site being accessed via some exploit (perhaps via FrontPage extensions).

It sounds like adware to me. I ended up with adware on my computer not very long ago. This can happen very easily if you download a lot of shareware ... adware is often bundled with it. If you download adware most of the time you won't even know you've installed it.

The one I had was called "Ezula." I probably won't get the technical specifics correct but how I understand it: Ezula runs with Internet Explorer, and when IE loads a page Ezula goes through that page and adds its own advertising. For example, if someone has paid Ezula for the keyword "Web Hosting," that keyword will always appear as a link to that advertiser's page (to anyone running Ezula) regardless of where on the Internet it appears. In other words, if you have the keyword "Web Hosting" on your page, everyone with Ezula will see it as a link to that advertiser's website.

If your brother in law had Ezula or something similar on his machine, that would explain why he could see the link but you couldn't. In my opinion, this is stealing and it's very very unethical. But apparently, it is legal.

Adware is often difficult to remove. You can uninstall it, but it may keep mysteriously coming back. If you have adware on your computer, you may need to use a removal tool such as Adaware to get rid of it.

A good site about Adware: http://www.thiefware.com

Good luck ...

I don't mean to be negative but as a proffesional web hosting / designing company it seems funny you should be posting such a question. Are you not supposed to be up on these things if you are desinging and selling web sites to clients?


Would it not have been better to save the code for the last web site so we could see what you are referring to? it seems people are just posting thier random thoughts.......

I heard something similar years ago, that when a client selects a certain key word on your site, they could be led to another site.
The solution to that is to include this in your meta tag area:
<meta name="MSSmartTagsPreventParsing" content="TRUE">

You should put this on every page on your site.

Marilyn has the answer, it's smart tags.

The solution to that is to include this in your meta tag area:
<meta name="MSSmartTagsPreventParsing" content="TRUE">

You should put this on every page on your site.

It's my understanding that that won't actually help ... that's something you could do back when Microsoft was talking about putting adware-type functionality in Internet Explorer. The idea was so controversial that they ended up not doing it, so using MSSmartTagsPreventParsing won't do you any good.

Since adware like Ezula isn't built in to the browser and isn't related to Microsoft at all, it won't recognize that meta tag.

I don't mean to be negative but as a proffesional web hosting / designing company it seems funny you should be posting such a question. Are you not supposed to be up on these things if you are desinging and selling web sites to clients?


Would it not have been better to save the code for the last web site so we could see what you are referring to? it seems people are just posting thier random thoughts.......


do you think someone who's got a midwife web site intended to have a link advertising web hosting? i think that's the root of the problem - it wasn't her link.

I recently managed to get some spyware installed that inserted kanoodle results at the top of Google and Yahoo searches, was amazed at how it worked and just thought this was another variation on a theme.



I picked up something that is inserting things into Google as well. It seems to have something to do with the Google Toolbar, but I've removed it and even downloaded it again, and I can't make it go away. None of my spy programs will pick it up, either..I've tried Spy Blaster, Spy Guard, Swat It, and Spy Blocker? I think...all the top ones. Nothing will detect it. Is this what you are talking about? I'd give anything to get rid of this parasite...drives me nuts.

Jan

Did you people read his post? Hackers..rofl.

His page loads differently on his brother-in-laws computer. It's not a hacker. As some people have said, it sounds like spyware. It wouldn't be that difficult to do. The trojan simply puts itself between incoming data and your browser. It can then load whatever it wants, tag key words with links etc.

If I were you or your brother in law, I would document all of it and contact ANY companies whose products were linked to by the site. They are paying some guy to advertise for them, and this is how he is doing it.

A hacker would just change your site to say CULT OF THE DEAD COW OWNZ YOU. HACK THE PLANET!@ PROPS MY MAH BOY CHEDDAR AND jMan. Most hackers could give a f*ck about the contents of your site and would only be interested in having something to show off to their friends and add to the list of 'Sites I've hacked'. If you have something valuable on your site and the hacker wants it, they won't be silly enough to let you know that you've been hacked- that's how you get caught, called a 'terrorist' and thrown in jail.

If I were you, I'd tell your brother in law to a) Format his hard drive and install Linux, or b) Donate the computer to someone else, or charity or sell it on ebay and get a new Mac.

Believe it or not, Linux and Mac folk don't have to deal with lame things like 'Popups' or the dumb ad messages that appear because Microsoft Windows has un patched security holes, we don't worry when 'the massive killer virus attacking PC's' is released because it won't affect us.

The sooner you realize Microsoft Windows is a p.o.s, and stop wasting your time trying to figure out how to prevent getting a new virus, trojan, or spyware, the better.

It doesn't have to be this way. Get a clue. Microsoft Windows is good for one thing. Games. Above and beyond that there's a better solution for absolutely everything :D


I would also like to add, that some of you have absolutely no idea what you're talking about. Some guy down there in the thread attacked this guys professionalism because some spyware is taking over his relatives computer. ROFL. And the people with the smart tags. lol ! LOL. As if the spyware programmer CARES about your tags. lol.



THROW AWAY YOUR OPERATING SYSTEM.

C'mon people... lets think about this. His brother sees the hyperlink, but he does not. This immediately tells me it's not a "hacker" problem. Let's not make a knee-jerk reaction to this and automatically assume it's a "hacker" - the word hacker freaks people out!

My guess is that your brother has some ad-ware installed on his computer that is parsing html documents and making links out of text that it finds in html docs, based on keywords.

Don't freak. I'm sure your website is still secure. Just tell your brother to download the free version of Ad-Aware from a company called LavaSoft. Their web address is: http://www.lavasoft.de

My bet is that this will fix his issue. I'd also bet that you do NOT have an issue. Don't worry. The ods of a "hacker" having the time, or desire to hack your website is nearly zero.

hmmm, yeah admittedly, I didn't catch the part of webmidwife not seeing this link on her site.

Would have to change my stance to agree it's spyware.
Here's the direct download of Adaware (http://www.lavasoftusa.com/support/download/) - just choose one of the mirrors.

Would be a good idea to check for Windows update patches, and if you don't already, make sure you have a firewall.

BTW, webmidwife... just a little tip, an extra return carriage or 2 in that one long paragraph would make for easier reading

I appreciate all of your posts. That's what I love about Web Pro World, the willingness to come in and answer posts! You gave me some good suggestions and insights.

I tend to believe that this is indeed spy/adware on my brother-in-laws computer. I checked on my husband's computer which is a completely different ISP and the site was fine.

To set the record straight my site is a web design/ web hosting site. I resell my web hosts packages. I know nothing about setting up a server, I'm just the middle man. And as far as my web design business, I make no false claims. This is a brand new business for me. I'm a self-taught web master who happened to find a passion in web design. I call my site "Web Midwife" because my first web site deals with babies. AND I'm not a "web doctor" who has been educated to do complicated work, but a "web midwife" who has learned the art by personal experience. LOL - see the analogy? My claim is that I can perform simple web and graphic designs - and I don't know everything which is why I turn to you good folks for advice

Anyway, I sincerely appreciate your help and advice!

I am saddened to learn today that the manifest expertise documented on this WebProWord Forum has not incremented one jittle since I last visited months ago.

Onward and upward.

YOU HAVE SPYWARE ! RELAX, IT IS FIXABLE.

First, tell your BIL to stop visiting trash websites where he is picking up VD (virtual disease). You know, if you sleep with dogs you get fleas...

Second, obtain HIJACK THIS software. And then do the dew, but be careful it has much power kimosabe.

Third, answer this question: If a midwife's midwife mid a midwife, what wife would midwife's midwife midwife?

Just kiddn, go get 'em cowboy!

yep get hijack this and if you can get larsn taskinfo that will tell most all.

I also think is something to do with the PC of the brother in law, you should ask him which downloads he added to his browser. And advice him to remove them.

Fortunately MS smarttags were only a barnum-like idea that never arrived to the internet, and it was about 3-4 years ago.

Hello,

This seems to be result of hijackware,
this web browser's assistant settings have been changed.

Check settings of IP for this URL (local settings for browser).

see: http://www.spywareinfo.com/

download HijackThis.exe



regards

Igor


P.S. as concerns fleas...
2003 my computer acquired a hijackware after number of visits to websites offering "submit for free to search engines", perhaps one of them loads this sh**
(this hijackware replaced settings for Google).

Its not spyware.

At least, I don't think it is. If the link showed a popup description (like a Tooltip) when he hovered over it, then I know what it is.

Its a variation on SmartTags, and is something called IntelliText. I can't remember the exact URL for the company that makes it, but the problem has been popping up on sites for a while, it just seems random.

In most cases, the owner of the website has to implement them, but I've seen cases where the company hosting the website has installed the software without asking permission of the website owner, leading to all these stupid "double-underlined" links that are basically text-based adverts.

Talk to your webhosts and see what they say. Also, just to make sure (in case I'm wrong!) do a spyware check on both your machine and your brother-in-laws.

Cheers,
GazChap.
--
Gareth Griffiths - Web Developer
http://www.gazchap.com

Hi there,

in response to ldyguique's post stating:


I do know that if the URL was yours, there is only one place that the browser can attempt to go -- to the URL listed. Without going deep-tech, it's "how the net works".

-unfortunately this is not necessarily the case, dependant on if and what version of IE you are using, and what patches you have installed.

It is possible using advanced techniques to direct a browser to an address whilst displaying a different address in the URL bar.

To many this would seem pointless, but those creepy-crawlies who steal bank details are using such techniques all the time. Think about those emails you recieve asking you to log into a bank account you dont even own and re-register your details! Once there, the actual banks URL may appeaer in the URL whilst you are in fact at a website belonging to the mafia or something! And voila ... stolen details!

Howerver this has happened, it is safe to say this is 100% deliberate but not necessarily by the company directed to. Despite this, if I were you I would send them a polite strong email illustrating what has happened.

Make them aware you know about this

Hijacks and spyware tend to be consistent in that once on a machine, it affects more than a single website. Phisher types of redirects do show a different URL in the browser than the one clicked on in an email. Domains are tied to an IP address and it has to resolve to a particular server. It is possible for a redirect or a repoint to continue to show the original URL and go elsewhere; in fact, one has to create a special script to override this.

A hacked website will usually be substantially changed, rather than someone adding in a single hyperlink that redirects. However, the source code is gone for the original situation. It's been removed.

The biggest trouble with teching 3rd party situations is that there is never complete information. That's why one has to paint with a broad paintbrush. Full and complete information is usually missing even in a 1st party situation as what one thinks is going on is frequently other than what is actually going on. By the time it's derivative, it's not really possible.

This is why the best one can do is a preliminary diagnosis of possibilities based on "ordinary" situations and why I gave a link that dealt primarily with spyware and hijack malware. This is the normal or usual situation for spontaneous redirects. However, again, spyware and hijacking software or cookies tend to cause a far more consistent problem and rarely affects only a single website.

Since the original bulleted listing is gone, there is no way to fully retro tech the issue. The best that any of us can do is speculate, hypothesize, and offer suggestions for something that cannot be looked at in view source or any attempt made to duplicate the issue.

We had a similar situation here a while ago with some of our sites. The reason was because we had HotBar on one of our computers which is a downloadable tool bar which makes your search bar nice and pretty. However, it reads keywords in your sites text and hyperlinks them to sites that are relevant to those keywords. I would install hotbar on your computer and see if you get the results your brother in law is getting. I bet you'll be suprised... Unfortunately there is no way to stop this from happening to your site if the site viewer has hotbar installed on their computer.