This is a strange one, and I'm hoping that someone here can help.
I help a nonprofit writer's group with their website. Last year, someone hacked the server where it was hosted and replaced most of our pages with keyword-laden spam pages. Exactly why I'm not sure, but perhaps as a way of inflating their rank in the SEs.
After this security problem, we changed hosts, and all seems to be fine at the new one. However, the person listed in the WHOIS records got home one night to find an agitated phone message from someone who had been to our site and had it attempt to install some kind of malware, and been redirected to a subdomain:
He unfortunately left no number to call back, so we can't question him as to what happened. I suspect that the malware was already on his machine, and that IT directed him to the "annulment" subdomain. The page itself is garbage, but it does have links in the right column to actual sites, though cheesy ones.
We have since had several people with different types of computers check our site, and no one has had any problems. Our webmaster also checked the content of the site. There are no files there that shouldn't be.
Here is our site, if you want to check it out yourself:
I believe that that "annulment" page may be related to the hacking last year and is on the server of the former web host. There may well be others, with different keywords as the subdomain.
We've contacted the former host, and they say they can't find it! So, what is going on? How can a subdomain of our site be in a location other than our site's current location? Wouldn't someone have to get that into the DNS system? Is there a way to trace back to where this page is actually located so it can be deleted? Has anyone had any similar experiences?
Thanks, GB. I did the pinging, and got two quite different numbers. I plugged them in at arin.net and two different hosts came up, but they seemed to be companies in control of large blocks of IP addresses. How do you find out who controls a specific IP?
Re the way the files were copies over and checked, or not. I think we did all those things already but will check with the person who actually works with the files.
Edited 1 time(s). Last edit at 12/21/2007 06:35PM by Harold.
There's your problem.
The IP of the subdomain is hosted somewhere else, you need to check with the DNS owner of the subdomain IP, (most probably your old hosting co?) and ask them to remove their DNS record for the subdomain.
Thank you. This is very useful information and I hope this thread will be a resource for others. Not that I hope others will have this experience. I just think it's likely that someone will at some point.
Edited 1 time(s). Last edit at 12/21/2007 09:12PM by Harold.