Possible site hacking - but how ???

[FrankC]

I haven't been checking my site daily due to holidays and other work.

However, I noticed last night that Google search results were returning a 'spam site' type result for my site. I.E. the Title/Description were spam instead of my own Title/Description.

The site itself appears to be OK - the pages and source all look normal. The site host says they detected or fixed no hacking. Google cache for the site (text only mode) shows the 'spammy' site - yet all appears OK now.

Does anyone know what could have happened. Is there a possibility that Google cached the wrong site ??? Webmaster Tools/ analytics don't indicate anything unusual happened.
I have resubmitted a new site map to Google, in the hope of getting it to recache the site - but it looks as if it is actually indexed correctly, as it's returned in a normal position in the search results.

I'm at a bit of a loss here to know what could have happened. Does anyone have any ideas ?

Thanks, Frank

PS I can't post a link to a screendump of search results, but if you search for something like Wedding Photographer Dublin Ireland - mine's the one with "Buy Ranitidine" as the title in the results !!

 

[php.allstar]

Hiya,

I'm not the right person to talk on SEO but here's my take on the situation...

It appears that your site was defaced and then google saw this new ultra juicy page and indexed that page super quick.

Can you let usd know when you first noticed the problem and also when google last indexed your pages.

We've all heard of the Gumblar virus being on the loose as of late, but from what I understand, its payload is more subtle and difficult to detect. In you case the page was just bombed with links of all sorts... I dont think it was Gumblar...

I am very interested in website security both as a geeky hobby and in the day job but if you like I could run a penetration test on your site and email you any findings? This will send a lot of traffic to your site across a wide array of ports but it won't actually carry out any attacks, just report on them.

If you would like me to do this, let me know and I'll run it today at some stage and email you the report.

 

[gav240z]

Definitely been hacked.

You have definitely been hacked in some form of way. It looks like some script is inserted into your page that has altered the contents of the page.

What software do you run on the site? The site looks ok at first glance now. Hopefully googlebot will return and pick up the proper contents again shortly.

I had a similar experience on a wordpress site I was running, Google deindexed it but its back now. After I upgraded and removed the spam anyway.

 

[FrankC]

I'm not sure what happened.

I've never seen a defaced/hacked version of the site. The only trace is in the Google search results. Normally I check the site daily, but didn't for the past week or so. My site host says the site appears normal now, with no evidence of any hacking. As I never saw anything wrong with it, I never had to fix anything. Noone else admits to having fixed it either.

Other points :

The current Google cache of the site shows the spammy version - that's dated Aug 24th (text-only version).

The Google index and search results are still normal i.e. if it really was a hacked site, I wouldn't expect to appear in the search results for my usual search terms. It's only the Google cache (which displays title and description in the search results) which looks wrong. So, the site hasn't been deindexed by Google, and all the Google Web Tools show nothing unusual.

@php.allstar If you think it would be useful, I'd be interested in seeing the test results

@gav240z The site is mostly just html with a bit of javascript (all essentially from templates or various standard sources). The blog uses standard Wordpress (and looks OK both 'live' and in Google cache).

The only other possibility I can think of is that my DNS could have been switched temporarily to point at a spam site, and that Google happened to cache it during that time, and was then reset to my normal site. Pretty unlikely I would think ????

Anyway - thanks both for your replies.

 

[Gavin]

Hi Frank,

Although your site looks fine it could still be hacked. Take a look at this article about malicious redirects.

Look at the htaccess file (if there is one) and see if there is any redirects listed that shouldnt be.

From the looks of it your host as had its server hacked. I am seeing a few other sites with the same issue who are using the same host. Contact them and make them aware, take screenshots etc.

Make sure to change all your passwords for your hosting account including the FTP and email passwords. Also run a anti-virus/spyware scan on your PC.

 

[FrankC]

Thanks Gavin - I have contacted the host again.
Do you have any examples of searches or sites showing the same problem ?

I've gone through the article you linked, and the checked my site - it seems OK. I had also previously checked the 'last modified date' for my website files on the host server, and all seemed in order. It's not a big site, so I manually checked all the main directories.

Regarding my PC, I am pretty good about securing it, and ran virus and spyware scans last night. No adverse results apart from the usual 'tracking cookies'.

I will change my passwords though.

Thanks, Frank

 

[php.allstar]

Hi Frank,

I've emailed you the results of the penetration test.

Nothing glaringly obvious in there apart from one or two small little things...

It could still be down to a number of things like maybe another account on the box got hacked and let a rootkit onto the server causing problems or someone may have brute forced their way into your ftp account.

If I were you and if you have shell access, look at the ftp log in /var/log/xferlog (could be something different depending on the FTP daemon running) that would help to confirm or eliminate this suspicion.

If you dont have shell access ask your host if they can provide the ftp xferlog to you.

 

[FrankC]

Thanks php.allstar, have replied to you via email.

I've also asked my host for access to the xferlog.

F.

 

[Gavin]

Do you have any examples of searches or sites showing the same problem ?

You can find another two websites listed here. I've found over 6K sites with the same hack so its wide spread.

Have you check the htaccess file?

 

[FrankC]

I've found over 6K sites with the same hack so its wide spread.

Have you check the htaccess file?

Thanks for that Gavin.

Checked htaccess - all seems normal.

 

[Anouilh]

Hacking seems to be on the increase. A good photography site I visited had been invaded by hackers who left a poorly designed series of logos as evidence. Today, Boards.ie was down and members theres are being advised to change passwords as the hackers gained access to emails and, possibly, to passwords. "http://komplettie.wordpress.com/2010/01/21/boards-ie-hacked-change-your-passwords/". (I'm bumping this thread, rather than start another... all because the machine posted a nice invitation, reminding me that I had not contributed here in some time.) Happy New Year to all, belatedly.