Ugh. Carpe Fulgur's being hijacked.

[Sabin Stargem]

I have been getting redirected from Carpe Fulgur to some "Canadian Pharmacy" website, when trying to get here via Google. I have been able to get around this by using the URL for Carpe Fulgur, but it still annoys me that someone has been doing this.  I initially thought that Carpe Fulgur bit the dust when I wasn't looking.

[Twin]

I'm getting the same issue! Redirects to a Viagra site.
At first I thought I had a google redirect virus or a rootkit. But the same thing happens on 2 other PCs and I even got a friend to verify it happens on his system!
It doesn't appear to happen through Bing, Yahoo, Hotbot etc. it's only on Google. Occurs in Firefox, IE and Opera.

Typing in the URL directly (http://www.carpefulgur.com/fs/faq.htm) functions correctly, but via Google search I'll get the Viagra redirect :l

[SpaceDrake]

Huh, interesting. Means the same thing that happened to XSEED happened to us on some level, I was wondering if this would happen. Happily they haven't taken the actual site over.

Thanks for letting us know about this; I'll put in a ticket with Google to have this corrected.

[Franuka]

Had this problem until now. I thought the site could have been moved, hacked or something
Luckily it was just a redirection thing and it seems to be solved.

Thanks, fwoo~!

[dB]

Huh, interesting. Means the same thing that happened to XSEED happened to us on some level, I was wondering if this would happen. Happily they haven't taken the actual site over.

Thanks for letting us know about this; I'll put in a ticket with Google to have this corrected.

Your forums are hijacked. It looks like it's based on the referrer. In particular it seems to be performing the redirect only if the referrer is Google I think. Have a look at this:

Without Google referral:

Code: [Select]

~ $ wget http://www.carpefulgur.com/forum/
--2012-02-26 17:29:25--  http://www.carpefulgur.com/forum/
Resolving www.carpefulgur.com... 66.33.200.98
Connecting to www.carpefulgur.com|66.33.200.98|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23084 (23K) [text/html]
Saving to: “index.html”

100%[===================================================================================================================================================================================================================>] 23,084       123K/s   in 0.2s

2012-02-26 17:29:26 (123 KB/s) - “index.html” saved [23084/23084]

~ $

With Google referral:

Code: [Select]

~ $ wget http://www.carpefulgur.com/forum/ --referer="http://www.google.com/"
--2012-02-26 17:31:20--  http://www.carpefulgur.com/forum/
Resolving www.carpefulgur.com... 66.33.200.98
Connecting to www.carpefulgur.com|66.33.200.98|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://canadian-pharmacy-24h.com/?refid=435 [following]
--2012-02-26 17:31:21--  http://canadian-pharmacy-24h.com/?refid=435
Resolving canadian-pharmacy-24h.com... 94.102.55.105
Connecting to canadian-pharmacy-24h.com|94.102.55.105|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: / [following]
--2012-02-26 17:31:22--  http://canadian-pharmacy-24h.com/
Connecting to canadian-pharmacy-24h.com|94.102.55.105|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “index.html”

    [   <=>                                                                                                                                                                                                              ] 63,935       114K/s   in 0.5s

2012-02-26 17:31:22 (114 KB/s) - “index.html” saved [63935]

~ $

EDIT:
I've noticed that your version of SMF ("Powered by SMF 1.1.11") is seriously out of date and probably riddled with security flaws corrected in later versions. I would upgrade it as soon as possible.

[RenaTheArchmage]

It hasn't yet been corrected, at least not when I tried to follow a link to El Drakblog.

[SpaceDrake]

Believe I identified the problem. Is it happening now?

[TheSwordUser]

It's working now for me.

Also, here's something I wanted to post but you posted first:

You know, don't get me wrong, but considering you probably gained a buttload of money from THREE games in total, you might want to invest at least a FRACTION of it for website security/better hosting.
Soon, I'll be afraid to go here because of risk of getting spyware or rootkit infection or whatever.

[SpaceDrake]

Our hosting itself is actually badass as hell; they kept up with the huge Recettear rush (and Chantelise rush, and FS rush) with barely a sniffle or two. No way I'd want to move off of our current webhost. Our security is quite solid too (usually); I'm actually surprised this happened at all.

We will, most likely, be doing some rather extensive upgrades to the website this year, though. The mainsite itself, though, is secure; one of the upshots of being 100% HTML-based is that only a brute-force hacking of our FTP would cause a problem (and that would be immediately obvious and correctable, and there's another layer of security behind the FTP with a separate password I can use to fix everything if need be).

[dB]

Still broken....

Code: [Select]

db@vmbox ~ $ wget http://www.carpefulgur.com/ --referer="http://www.google.com/"
--2012-02-27 07:35:08--  http://www.carpefulgur.com/
Resolving www.carpefulgur.com... 66.33.200.98
Connecting to www.carpefulgur.com|66.33.200.98|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://canadian-pharmacy-24h.com/?refid=435 [following]


[SpaceDrake]

Not anymore. Going to see if it stays fixed this time.

[SpaceDrake]

And forum UPGRADE! Hopefully that'll put an end to any security issues we had that weren't covered by a password swap. I'll keep on the ball for more updates in the future.

[Schibs]

Nope, it's still not fixed. The first time when I click your website via Google, I still get redirected.
I'm not really an expert at web security, so I may be wrong, but you should check if your .htaccess file still get compromised by the previous hijack, just download your .htaccess file via FTP and check if its content is questionable.

Putting redirect code in .htaccess is as simple as this :
http://stackoverflow.com/questions/3228841/new-google-images-htaccess-redirect-code

I'm doing two check, one on your official page, http://www.carpefulgur.com and http://www.carpefulgur.com/not_exist
Since Folder not_exist isn't exist on your website and I still get redirected to that pharmacy website, I'm suspecting the culprit is in your .htaccess file, not in your forum index.php file, since the old forum file probably get deleted during the upgrade.
It'll only redirect if the referrer is from Google.

First check

Code: [Select]

D:\>wget http://www.carpefulgur.com/ --referer="http://www.google.com/"
--2012-03-12 21:53:10--  http://www.carpefulgur.com/
Resolving www.carpefulgur.com... 66.33.200.98
Connecting to www.carpefulgur.com|66.33.200.98|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.canadian-pharmacy-24h.com/?refid=435 [following]
--2012-03-12 21:53:11--  http://www.canadian-pharmacy-24h.com/?refid=435
Resolving www.canadian-pharmacy-24h.com... 95.211.161.204
Connecting to www.canadian-pharmacy-24h.com|95.211.161.204|:80... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

--2012-03-12 21:53:24--  (try: 2)  http://www.canadian-pharmacy-24h.com/?refid=4
35
Connecting to www.canadian-pharmacy-24h.com|95.211.161.204|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: / [following]
--2012-03-12 21:53:30--  http://www.canadian-pharmacy-24h.com/
Reusing existing connection to www.canadian-pharmacy-24h.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'

    [           <=>                         ] 63,939      13.3K/s   in 4.7s

2012-03-12 21:53:40 (13.3 KB/s) - `index.html' saved [63939]

Second check :

Code: [Select]

D:\>wget http://www.carpefulgur.com/not_exist --referer="http://www.google.com/"

--2012-03-12 22:07:45--  http://www.carpefulgur.com/not_exist
Resolving www.carpefulgur.com... 66.33.200.98
Connecting to www.carpefulgur.com|66.33.200.98|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.canadian-pharmacy-24h.com/?refid=435 [following]
--2012-03-12 22:07:47--  http://www.canadian-pharmacy-24h.com/?refid=435
Resolving www.canadian-pharmacy-24h.com... 95.211.161.204
Connecting to www.canadian-pharmacy-24h.com|95.211.161.204|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: / [following]
--2012-03-12 22:07:49--  http://www.canadian-pharmacy-24h.com/
Reusing existing connection to www.canadian-pharmacy-24h.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html.2'

    [                  <=>                  ] 63,939      5.10K/s   in 12s

2012-03-12 22:08:03 (5.10 KB/s) - `index.html.2' saved [63939]


[dorbabil]

Interesting...

If I click on the link in google, I also get redirected. That's a link to the carpe fulgur main page, not the forums.

[SpaceDrake]

And fixed for the time being again. I actually do want to try one more thing before declaring "defeat" though...