: Suspicious script loads ONLY when navigating to site via search engines I cannot find anywhere on our site where this code is referenced. More importantly it does not appear when navigating directly

@LarsenBagley505

Your web server contains a configuration file with a configuration that directs traffic from certain sources to pages with the suspicious script.

If you're using apache, start with the .htaccess files in your document root folder and every folder recursively within it.

Look for any lines containing "user_agent" or "remote_addr" or even google or other search engine names. Also, check for a list of specific IP addresses. Trying to comment them out then rerunning your site might be all you need to do.

If that doesn't work, you can also look at apache's default configuration file (httpd.conf) for references to the words I mentioned above.

Here's an example of how to reproduce your situation on any web server with apache installed:


Create a normal index.htm or equivalent page with content for all to see and save it to the document root folder.
Create the same page but add the suspicious script and save it as codewithsuspiciousscript.htm and upload it to the same location as index.htm
Create a file named .htaccess with the following contents:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^googlebot$
RewriteRule ^(.*)$ /codewithsuspiciousscript.htm



Then upload it to your document root folder.

Now when google visits any page, they will see the suspicious code because codewithsuspiciousscript.htm is loaded as a result from the user agent matching with google. When everyone else visits the page, they will see the normal page.

Vote Up Vote Down