I just used FireBug to find the referrer string that seems to be feeding the unwanted content:

http://75.127.109.21/f.php?keyword=pearl+street+lofts&subaff=246394&ref=http%3A//www.pearlstreetlofts.com/&rand=0.32726817914790385 

j,

I believe your site has been compromised. I tested this out, and it appears that the redirection is occurring when visitors go to the web site, not before. Here's what I did:

1) Installed the RefControl (Referer control) extension for Firefox

2) Went into RefControl options, and for the web site "www.pearlstreetlofts.com", set it to "Block-send no referer"

3) Searched Google for Pearl Street Lofts, clicked the results link, and the site came up fine.

Then I tried:

1) Going into RefControl options, and for the web site "www.pearlstreetlofts.com", set it to "http://www.google.com/search?q=pearl+street+lofts&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a", which is the referer URL that a Google search would transmit.

2) Typed www.pearlstreetlofts.com into the browser, and I got the wrong site.

So it seems that a malicious hacker has control of this site, and is redirecting visitors who come in from Google. 

- Brian

Wow... I'll download that plug in. Thanks for the note.

Any ideas as to how I can change this or protect against it in the future?

I found this page helpful:
http://clsc.net/research/googl...

But the implementation of the base href meta tag seems to have done nothing, as the site was easily hacked again after I implemented it.  

You're welcome. To be honest, if I'm correct, you have a very serious problem. As far as I can tell, someone gained control of your site and replaced some of the code running on your server.

The way this happens is through vulnerabilities in some piece of software.

For example, I use WordPress on my personal web site. Each time a new version of WordPress comes out, I have to update immediately, because each new version (usually) fixes some kind of security flaw in the product. The minute the security flaw becomes known, malicious hackers begin probing every web site they can find until they find one that is vulnerable. Then they use the vulnerability to compromise the site.

After they've compromised it, they replace some part of the site with their own files. There are many forms this takes, but three common ones are:

• Malicious software that attempts to deliver viruses to site visitors,
• A redirect to some other site (this is what appears to have happened in this case),
• A defacement, in which case it is very obvious that something has happened.

If your site has been altered, then you should take steps to find out what was changed and restore it. However, once a site has been compromised, all of the files on it should be suspect, especially anything that is executable (PHP files, CGI scripts, etc.). There are many ways you can respond to a compromise, but one of the more conservative responses is to restore the server from the last backup before the compromise.

- Brian

Wow... I thought it was JS coming from a different server, but you were right. Buried in soem folders were some malicious files. Not sure how they got there of course, but that is what hackers do. Nice. So, I am hoping that a new server client with better security can do the trick. Oh, and new passwords.

I'm really glad to hear you found it. You should also poke around and see if they left any back doors. Check out any PHP/ASP/Perl/etc scripts you have on the server, check to see if anything funny is going on. And if a script has mysteriously appeared that wasn't there before, it's certainly suspect.

I think the most likely way they got in is through a software vulnerability. When there's a vulnerability, malicious hackers (I say malicious to distinguish from hackers like myself who aren't out to get you) will use that vulnerability to trick your web server into running some program that then grants them access to your server (effectively, they are able to use the vulnerability to run programs under your own credentials). Then they do their deed, and often will leave a back door so they can get back in if you find what they did.

To reduce my exposure to such problems, every time I install a new software package (Wikipedia, WordPress, Django, etc) on a server, I subscribe to the mailing list or RSS feed where the software project announces new releases. Then when a new version comes out, I drop whatever I'm doing and perform the update.

- Brian

Yeah... well, this is GoDaddy server, so the support is short of stellar. The security as well. I am recommending that the client move the site somewhere else, so I hope that helps. I haven't had any non-Go Daddy sites get hacked (yet).

Again, thanks for helping me suss this out. I was concentrating on the way they passed an id string to the Google listing, and didn't even look on the server to see if there were extra files there. Now that the files are no longer there, the click on the Google listing gets me an internal server error, which is better than the wrong page.