homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

Hacked Blog and Hidden Links - warning email sent by Google

 5:54 am on May 8, 2008 (gmt 0)

Got an email from Google that they have detected hidden links and have removed the site for 30 days and that I should file a reinclusion request.

Now the site is an authority site, long time number 1, with sitelinks in the serps.

The only affected area is the www.mysite.com/blog directory as that is where the hidden links are.

The blog part is now not showing in serps for site:www.mysite.com/blog but my main part of the site is ok and still number one.

I have filed a reinclusion request after having removed offending links from the header but had to select www.mysite.com as there was no option in webmaster tools to select www.mysite.com/blog.

Question. Should I be worried? I am not bothered about the blog part coming back as it is a minor part of the site anyway. Perhaps I should not have filed the request!



 9:57 am on May 8, 2008 (gmt 0)

Wow. I don't think I've ever heard Google actually doing this. You must be pretty important. Everyone else just disappears as Google assumes you did it yourself ... you wouldn't happen to be spending a lot of money on Adwords would you?


 2:37 pm on May 8, 2008 (gmt 0)

I am not sure if Google sends emails to anyone about their websites -- that would be awesome customer service from any company. This email is probably a fake.


 3:29 pm on May 8, 2008 (gmt 0)

I am not sure if Google sends emails to anyone about their websites -- that would be awesome customer service from any company. This email is probably a fake.

Google has been making an effort over the past year or two to notify webmasters when it finds problems. It isn't at the "awesome customer service" point yet but has been slowly and steadily expanding.

workingNOMAD, besides removing those hidden links did you apply any available security patches for the blog software you use? This might be an important point for reinclusion if applicable.


 3:33 pm on May 8, 2008 (gmt 0)

There's been some scuttlebutt going around lately about injection of hidden links into blog software via vulnerabilities. That isn't necessarily hacking in the usual sense we'd think of it, it's compromising sites using holes left out in the open, primarily with popular, open source software.

Scary, isn't it?

[edited by: Marcia at 3:39 pm (utc) on May 8, 2008]


 4:35 pm on May 8, 2008 (gmt 0)

In order for your Reconsideration request to get a positive result, it is very useful to let Google know more than a simple "I removed the parasite hidden links." If you fix the hole that was exploited on your server and include that fact in the request, you've done full due diligence on the issue. That step is often the deal-maker.


 5:04 pm on May 8, 2008 (gmt 0)

I or my site are certainly not important!lol I wish!

I don't spent a cent on adwords but adsense does feature and has done since 2004.

I do feel a little honoured that Google did not ban the whole domain but just the blog part of the site. As I said before the blog part is not really important and I have been thinking of winding it down anyway.

The email is no fake and the blog has been dropped from the index as they said it would, pretty much within an hour of me reading the mail!

I have updated the security on the blog software too, thanks for the tip though. Just have to sit back and wait now!


 5:10 pm on May 8, 2008 (gmt 0)

From a few past experiences, warning emails aren't reserved for "important" websites. It's more often a help that Google extends to a webmaster who has no history of guideline problems.


 6:06 pm on May 8, 2008 (gmt 0)

Question was it done through webmaster section in your Google account?
Or did you get a personal email from Google were they had to take the time to find your email and send one to you or
was it a generic email from Google were the email can be harvested off the site?


 6:07 pm on May 8, 2008 (gmt 0)

I think Google might have a person or two that regularly check website and send this emails. This is not the first time they are doing this, but they don't do that a lot.
I'm guessing they just are sort of trying to see whether this work or not.


 6:14 pm on May 8, 2008 (gmt 0)

Out of interest, which software were you using for your blog?


 6:24 pm on May 8, 2008 (gmt 0)

>>which software

Could it have been this one?



 6:41 pm on May 8, 2008 (gmt 0)

Yes it was that one, but I was running an even earlier version.

The email was sent to two email addresses, one was admin@domaininquestion.com but the interesting one was a free online email account I set up specifically for that website and is only shown in a jpeg format on the site to stop bots etc.

What I am saying is that is cannot have been an automated email.

By the way it came from 'Google Search Quality (noreply@google.com)'

Oliver Henniges

 7:05 pm on May 8, 2008 (gmt 0)

> Scary, isn't it?

What's most scary, IMHO, is the fact that such holes exist in open source-software at all, and how uncritically people are using such frameworks on internet-servers with a highspeed backbone.

Sry, this is a bit OT and has nothing to do with google or their mail.


 9:10 pm on May 8, 2008 (gmt 0)

The issue of the hacked blog - especially on Wordpress at the moment - is a major concern. Here's a related thread from the WebmasterWorld home page: Using WordPress 2.5 ? Upgrade immediately! [webmasterworld.com]

Blogs were supposed to be the "no-brainer" platform for the average non-tecchie to keep an online journal. Unfortunately as the various blogging platforms became widespread, the required level of brains and owner responsibility reached a higher level.

The web sharks smelled money and blogs became an irresistable target. First it was automated links in the comment areas (that brought us to the ugly rel=nofollow mutation) and now we're dealing with parasite hosting.

I'm glad to hear that Google is being helpful, as they can, but no one should depend on that. The issue is probably too widespread for them to email everyone they detect as being affected.

One interesting part of the report in the opening post is that Google did not remove entire domain from the index, only the blog directory. That kind of precision is quite welcome.


 11:08 pm on May 8, 2008 (gmt 0)

Indeed that kind of precision is very welcome and suggests Google does perhaps care about smaller publishers.

By the way the blog in question is not the one on my profile.


 12:01 am on May 9, 2008 (gmt 0)

Same thing happened to me. I have a popular authority site that dates back to 98 and they found hidden texts on old unused pages that were sitting on my server. They sent me the same e-mail and I started to go through the site to fix everything. Google actually put my site back in the serps with all the original top rankings exactly 30 days after I got that e-mail and even before I was done correcting everything (I hadn't even requested reinclusion yet). So if they think your site is a good site, you shouldn't have to worry. The only thing they did was to remove 1 point from my home page google pr, which didn't affect my traffic anyway.


 3:43 am on May 9, 2008 (gmt 0)

No scuttlebutt. Recently I helped a WW member with a hacked WP (fairly old build). He got the same email from G but once he fixed the problem - just one page with about 100 links hidden behind display:none - Google reindexed (made visible) the site within a day or two.


 1:31 pm on May 9, 2008 (gmt 0)

>>What's most scary, IMHO, is the fact that such holes exist in open source-software at all.

What's so scary? New vunerabilities are found all the time in both opensource and commercial software programs. The scary part for me is that webmasters ignore security warnings and don't upgrade their software.

My site has been hacked twice and both times it was directly attributed to me running a version that had known vunerabilites. That's what happened here too the OP simply ignored an aging portion of their site.


 2:50 pm on May 9, 2008 (gmt 0)

this is old-school Google at it's finest. Gratuitously helping out webmasters.

Off to update my wordpress installs!


 3:06 am on May 10, 2008 (gmt 0)

Anyone have any tips on how to be proactive in looking for these hidden links? If your site gets hacked, how will you ever know these links are there?


 3:36 am on May 10, 2008 (gmt 0)

Use a tool like Xenu Link Sleuth to monitor your site for external links. Think of it like getting a regular check-up. You will often catch other oversights and problems you weren't aware of, too.


 7:31 am on May 10, 2008 (gmt 0)

One of the better ways to keep your system safe is to have it scanned on a regular basis.
Every now and then there is a new vulnerability discovered and there is no way for normal people to catch up on this.
Google up "vulnerability scanning system" and see the solutions available.
If your site is commercial and your are actually making money from your blog, I think it is important to keep it safe and be alerted when the industry knows about a new exploit.


 10:59 am on May 11, 2008 (gmt 0)

I'm using a Vulnerability Scanning System and was notified couple of weeks ago that my wordpress is vulnerable and need to upgraded asap.
There are a few companies that provide this service, I think that most of them do the same. It is better to scan daily or weekly but not less tan that, since new exploits are dicovered all the time.


 3:49 pm on May 14, 2008 (gmt 0)

I posted this on another thread related to data loss by Google Analytics however I think this is relevent to this discussion as well...

Recently my website was labled as as hosting badware. I have always ran a clean site and have advertised using the Google Adwords program for several years.
Google would only tell me that they see a malicous code on our site, one that I had trouble identifying.

Then yesterday morning I found a code which I thought looked suspect. It was written in a cypher and originally I thought it was just part of the programming behind the site. After looking at the string of code in more detail I realized that it was a cypher, in fact an easy one in which to decode.

Here is the original code:


And here is what I translated it to:

script – var – str – width – height – style – visibility – hidden – I – frame – I – frame – iframe – src – http://www.example.com.diamond.i.index/php.out - document - write – str – substring – 68-226 – str – substring – 1-68 – script

Heres where it gets interesting.

If you were to go to example.com you would see that it was a spoofed Google Analytics site. Google as of last night has been working at getting that site taken down however from what I can discern it has been up for about three months. I have a screen shot of the spoofed Analytics site. It appears it would ask for a users login information and then capture that information before sending the person through to the Google Analytics site.

I don't know if these issues are resolved however they very well may be. It is also possible that other Google Analytics accounts have been breached like ours may have been.

It is ironic that Google flagged our account as providing malicous code and would not assist us other than verify that the code was still on the site and then it turns out that the code led back to a spoofed Google Analytics site. I've yet to hear much back regarding this but it seems interesting that I recieved notification of data loss on the analytics side during the same time this other issue was going on.

I've asked Google if there has been a security breach and will update this thread once I receive a response.

[edited by: Robert_Charlton at 6:35 pm (utc) on May 14, 2008]
[edit reason] changed to example.com [/edit]


 2:59 am on May 26, 2008 (gmt 0)

Matt Cutts made a very informative blog post today about the steps Google recently tried to take when they detected a hacked website.

We sent an email to [four different addresses at your domain] and a gmail.com address...with a subject line of “Removal from Google’s index.” I believe if you had logged into our webmaster console at google.com/webmasters and proved that you owned [the website], we also would have left a message waiting for you there as well.


The post also contains an example of the kind of detailed information that Google sent - including a long list of the specific hidden text. Now THAT'S helpful.

Matt confirms that Google tries to reinstate hacked sites in a rapid fashion once the problem is fixed. From what he says, it does sound like a "hacked site" flag gets set and then needs to be removed manually, so Reconsideration Request sounds like an essential part of the process.


 9:48 am on Jun 8, 2008 (gmt 0)

Ok, just thought I would give you an update about what happened to my blog.

Google said the site (blog) would be removed for 30 days. They were right, after 30 days the blog has reappeared, true to their word!

As I mentioned I contacted them to say it was the work of a spammer and I fixed the issue by upgrading the blog software.

The only other thing is that the main site, number one for so long, actually dropped to number three in the SERPS for the main keywords.

I am not sure if this is related to the blog part falling out but anyway traffic has not been affected!

A lesson learned.


 9:56 am on Jun 8, 2008 (gmt 0)

This hack also affects the latest version of that widely used blog software. There are some interesting ongoing discussions elsewhere about how to fix the issue the sites that the hack redirects to. Yahoo or MSN it!

Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved