Sinkhole HTTP Referers and what to do about them

What are sinkholes?

A sinkhole, in the context of computer security, is a service created purposely and used to impersonate a real service whether it be legitimate or a malicious service like a botnet command and control host. In this particular case the sinkhole involved here is a service operated by a security organization to trap and record visits to websites that were redirected by impersonating where they would be redirected to.

Resolution

If a sinkhole notice is sent to you by iWeb's Security and Anti-Abuse team, use the information provided which should contain the "http host visited" as well as the "infection type" to pin point how and where the referral is occurring. It could be as simple as a full redirect by the use of an .htaccess file or within an iFrame on your web server.  It may be necessary to use the Timestamp provided to search your http access logs to see what was visited at that time. Most clocks should be accurate but keep the time zone in mind when searching the logs.

In almost all cases the account that hosts the website that was visited and appeared to the sinkhole as the referrer is compromised.  At the very least the password should be changed for that user and all of the material hosted under that account should be reviewed for tampering. Be cautious of restoring backups to this account now and in the future since you could actually be restoring the compromised files depending on how long the infection has been present.  

In some cases it is possible that the server itself is compromised and should be reinstalled. This is true in some cases where traffic is actually being injected to redirect visitors and one cannot find the cause of the redirection within the hosted content for the site. A full virus/malware scan of the entire server is recommended but nothing beats a complete reinstallation for a server that is administratively compromised.

Some tools you may find effective are listed below:

Linux:

Windows:

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk