Website hacked?

Don't worry, not talking about Hexus :p Another site I know of seems to be re-directing to random malware/scam websites when visiting it, but it only does this when you visit via a search engine, rather than typing in the web address into the browser bar.

Wasn't sure this site was to blame at first, but I think it must be checking the referrer on the request to try and hide the fact that the site has been hacked, since it's going be pretty rare for a site owner to get to their site via a search engine they may not realise for a long time.

The site owner is now aware, but thought I'd post here to check to see if this is something that's common, since I've never seen it before.

It's more likely that you have been infected with malware/spyware/adware/badware. Plenty of badware is known to re-direct search engine queries. I'd suggest you start scanning ;)

It's not malware on my machine, since it's happening for multiple people in at least 3 different locations.

Well, I got them to have a look at the web hosting, and turns out some edits had been made to the .htaccess file, something to do with a 'RewriteEngine'. Never heard of that before, but I can tell from the file that it was checking for a referrer of a search engine, then re-directing to a CGI script on a different (and obviously dodgy) site.

The changes are now removed and it's back to normal, password on the hosting is changed also, so guess I'll wait and see what happens. I doubt it's caused by any malware infecting the server, since it's just web space at a hosting company, rather than running their own web server.

This is common practice for spammers nowadays.

Another thing you can spot on some sites is different pages for different user-agents - i.e. if it is presented with the Googlebot indexer, it will return the normal page with a massive amount of keyword spam. Then when normal people go to it via a Google search it will just serve the normal page plus the trojans/malware/adware/etc. For people visiting from either localhost, a local network, or with no referer, it will not modify the page at all so that the author doesn't get suspicious. They might only notice either when their Google Pagerank goes down due to Google noticing, or end users shouting at them.