My friend Michael Michelini asked me why visitors to his blog sometimes get sent to a Russian .ru site when they try to visit his blog. He asked his IT friend about the problem and was told he couldn't replicate it.

Never send an IT guy to do the job of a liberal arts guy. Let me try my hand:

The symptoms were as follows:

  • When his blog URL was entered directly in a new browser session, it would load normally
  • When clicking on Google search results for his blog, it would get redirected to the suspicious insidetool.ru address
  • After clicking on the Google search result for his blog, entering his blog address manually still resulted in a redirect to the .ru address

I suspected that something had infected his Wordpress installation that only redirected Google search results.  This would make sense, because it would minimize the chance that the owner of the blog would immediately notice the infection. How many blog owners visit their own blog by searching on Google? Smart.

To remove variables like possibly infected browsers, caches, sessions, etc. I tested this theory by opening a Terminal session and using telnet to connect directly to his web server.

First I simulate a google search "click." I do this by sending a HTTP GET command via telnet and including a header field Referer set to a Google search results URL:

{% codeblock %}

Delorian:~ larry$ telnet www.michaelmichelini.com 80
Trying 74.208.82.110...
Connected to www.michaelmichelini.com.
Escape character is '^]'.
GET / HTTP/1.1
host: www.michaelmichelini.com
Referer: http://www.google.com/url?sa=t&source=web&ct=res&cd=7&url=http%3A%2F%2Fwww.michaelmichelini.com&ei=0SjdSa-1N5O8M_qW8dQN&rct=j&q=michaelmichilini&usg=AFQjCNHJXSUh7Vw7oubPaO3tZOzz-F-u_w&sig2=X8uCFh6IoPtnwmvGMULQfw
{% endcodeblock %}

{% codeblock %}

HTTP/1.1 301 Moved Permanently
Date: Sun, 10 Jul 2011 15:36:51 GMT
Server: Apache
Location: http://insidetools.ru/pkg/index.php
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

ef

301 Moved Permanently
<h1>Moved Permanently</h1>
The document has moved <a href="http://insidetools.ru/pkg/index.php">here</a>.

 

0

Connection closed by foreign host.
Delorian:~ larry$
{% endcodeblock %}

Yep. His blog is redirecting us to the .ru link.

Next I simulate the address being directly entered into the web browser.  Again, I do this by sending a HTTP GET request for his blog directly to the web server via telnet.  Notice how this time, I do not include a Referer header.  This indicates to the web server, that the visitor entered the address directly into their web browser instead of clicking on a link.

{% codeblock %}

Delorian:~ larry$ telnet www.michaelmichelini.com 80
Trying 74.208.82.110...
Connected to www.michaelmichelini.com.
Escape character is '^]'.
GET / HTTP/1.1
host: www.michaelmichelini.com
{% endcodeblock %}

{% codeblock %}

HTTP/1.1 200 OK
Date: Sun, 10 Jul 2011 15:37:14 GMT
Server: Apache
Content-Encoding: none
X-Pingback: http://www.michaelmichelini.com/xmlrpc.php
X-Powered-By: PHP/4.4.9
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

{% endcodeblock %}

Bingo!  His site loads up normally.

Now we can be 100% sure that the problem is in his webserver and its Wordpress installation and not because of infected Google results, poisoned web browsers, and the like. Knowing how to replicate a problem is the first step to solving it.

How and why his blog got infected? How to fix it? I'll leave that to you to figure out.