We got a call last night from this client. It seems that when someone typed in the “business genre” and “area that the business is located” in a search engine, then clicked on the name of the business, it came back to their server, but it had a fake “blog” site instead of their site.
At first we suspected DNS poisoning, but proved it wrong with a simple DIG command and a re-check of the DNS records. Everything matched.
We then had our crack team of systems administrators start looking at the files that were on the server. What we found was somewhat shocking and pretty clever.
Someone had compromised the server that hosts their site. Instead of defacing or vandalizing, they made a small change of one file and uploaded some simple files into a hidden directory. The small change that was made was to the .htaccess file. They modified it with URL ReWrites to show the files in the hidden directory as the homepage, rather then the real index file.
The clever thing was that it was only shown when a user was coming to the site from a major search engine. If you were to go to the URL directly (by typing it into the address bar), you would see the actual site. By searching for the business and viewing the results in a search engine, it triggered the url rewrite to bring up the hidden page.
The hidden page was just an advertising squatting page, just there to get ad revenue from all of the misguided surfers and of course generate ill will towards the business.
Needless to say, the files have been removed and the server is being fixed as we speak. We will be keeping an eye on it as time goes on.