| This 34 message thread spans 2 pages: 34 (  2 ) > > || |
|How Hacked Servers Can Hurt Your Traffic|
Unfortunately there are all kinds of devious server hacks making the rounds these days. They usually depend on two factors: sites that use a common CMS (such as Wordpress) and site owners who do not update their software to keep security solid.
But the average site owner may not have the resources or understanding to investigate thoroughly. All they know is that their Google traffic went away.
But if you can discover that you've been hacked, the fix is straightforward:
- fix the security problem
- restore a clean version of the site
- request reconsideration
One thing that hackers do is find sites to help distribute malware. This one should be easy to detect, because Google will post a warning notice in the SERPs "This site may harm your computer." This discussion [webmasterworld.com] covers the details of how to handle a malware hack.
One common footprint for a malware hack is an iframe that doesn't belong in your code - especially one with a lot of hex coding.
These are really "old school" - they're more like online graffiti than anything else. The hacker usually just wants to brag that they got you, and they put up a message on your pages for all to see. Well, that's easily detected because you just go to your pages and there it is!
But as I said, this is old school and many hackers are looking for something with some financial value these days.
This one is either done for sheer malicious delight, or perhaps for competitive disruption. How often do you check your robots.txt file? If someone replaced the first line and disallowed all indexing, how fast could you catch that?
In addition to visually inspecting your robots.txt file on a regular basis (and especially if your urls start disappearing from the Google index) you can also set up a Webmaster Tools account and check it regularly. Google will report to you when urls get blocked by robots.txt.
This one is sneakier and depends on the value of backlinks, either for PageRank or for the traffic itself. The hacker places links on your pages (they may be hidden through various means) and you may not be inspecting your content close enough to see those links.
The tool you need is a link checker, such as Xenu LinkSleuth, that can give you a report on all your external links. You are careful about who you link out ot, right? So anything really bogus is going to jump out at you from that list. Running a link checker on a regular basis has many other benefits as well, such as keeping those accidental 404s out of your site. So I consider it to be something like getting a regular physical (but I recommend doing it more often.)
Now we're really getting devious. Over the past year or more, hacks have been showing up that cloak their parasite content so that only googlebot sees it. If you visit with a regular browser (user agent) you only see what you expected to see.
Your main tool here is a user-agent spoofer of your own, such as the User Agent Switcher extension for Firefox. Just fire it up with a googlebot user agent string and see if your page content changes.
Complex Cloaking - using IP and cookies
This is getting deep - and it's also not so common, but it is out there "in the wild." The hacker in this case paces complex scripting on your site so that not only do they cloak for googlebot by user agent, they also cloak by IP address. In some cases the script also places a cookie so you get only one chance to see what they're doing.
And your tools here are 1) learning how to browse your site with coolies turned off and 2) studying your server logs for what your server replies to googlebot.
Cloaked Redirects - .htaccess hacks
Google's John Mueller (JohnMu) has just made an excellent blog post about this. I'll refer you to him:
|The first symptom that you would see is hard to interpret: URLs from the website are just not indexed anymore... |
When you submit a Sitemap file, Google will show warnings for URLs that redirect. By design, you should be listing the final URL in your Sitemap file, so if the URL is redirecting for our crawlers (as in this case), we’ll show a warning in your account.
I urge you to read JohnMu's entire article [johnmu.com]. He's offering a lot of help here.
Some of the sneakiest hackers have used various kinds of DNS tricks. Over two years ago we discussed this rare but still possible problem in this thread [webmasterworld.com].
If your traffic totally dries up, you would hit the panic button pretty quickly - so these hackers have been more clever than that. With DNS tricks they might syphon off only 20% of your traffic. One thing you would see was a traffic drop with no corresponding drop in rankings.
There's been some good effort here on the part of the DNS servers to get more secure from this type of thing, but it's still worth mentioning as a potential. The moral is to check your DNS settings and fix any warnings you get. It might seem like a foregin language to you if you never waded into these waters before, but it's worth climbing the learning curve - especially if your traffic is evaporating. However, it's something that I wouldn't suspect until I ruled out all the rest of the hacks I listed above.
It might be an employee, too
Sorry to say, it's not always an external hacker. Sometimes a person your trusted with server access gets greedy and places parasite links to earn some csh on the side. We've had such reports here, and it even happened at Google a few years back.
Don't get crazy about this possibility, but if you do find junk on your server and there's no real sign of an external hack - then consider who you might have given server access to. This is one solid reason always to changes passwords (strong ones) when anyone leaves the company, or when your contract is over with anyone who had access. Even great companies sometimes hire a bad apple.
As a side note, I wrote this post in response to a recent group of communications I receved where site owners were wailing about how unfairly Google was treating their site - and I found in several cases that they had been hacked. When you let your door stand open, all kinds of things can happen to your valuables.
I'm hoping I've been clear enough about the hacks I learned about over the past couple years. Has anyone got any details to add or clarify, or maybe a type of hack problem that I missed?
Back in May I had one of my sites defaced. From everything I was able to find out, they were defacing sites that ran a certain gallery add-on to Joomla. I found a lot of sites that had also been defaced by the same group when I searched for the "name" they left behind.
Fortunately I have a reseller account so I was able to totally remove the entire site, the site's hosting and recreate the hosting for the site and rebuild the entire site over a weekend. Luckily the site was small. After the new version was up, written only in HTML & CSS, I kept constant watch as these guys and/or their friends were still trying to view their work or perhaps even try to do more. They eventually gave up.
I'm no longer using any CMS package for my sites other than WordPress which I keep updated.
Theres a particularly nasty virus making the rounds as I write this that doesn't do anything to your computer or websites but it swaps out the ads on sites you visit. You "think" you're seeing the site as intended but the advertising doesn't belong to that site.
How are you supposed to know? The code is well hidden and launches in the background with IE. It does NOT launch with firefox but if it has been launched already it will replace ads on firefox too.
The best way to test for this, because there really is no other trace of it (yes, it's that fast and smooth and kills cookies etc) is to visit your yahoo email and hover over an ad momentarily. If your computer is infected the ad will show in the nav bar as being served by a third party server, not by yahoo. The ads are high quality from various sources (except for the "get free icons" ad that Yahoo would never show).
This type of infection steals website owners money without touching their sites and without doing anything nasty to your computer.
Excellent post Tedster. I need to establish a few procedures.
great set of guidelines when performing site audits
Great post! Our server was hacked recently. They brute-forced us for over a year until they finally got in. We had our firewall block them after x number of failed logins by IP. But they were simply coming in with random IPs that didn't always exist anyway.
Long story short, I LUCKILY was reviewing my command history file one morning and happened to see some strange commands in there from JUST THE NIGHT BEFORE!
After reviewing some log files, I found they had obtained root access a few hours before... They were logged in for a total of 10 minutes. During that time they installed a script on my website that gave them file browsing capability via the browser (and edit), along with some other tools for accessing my database, etc. They then poked around my website scripts, viewing various files that seemed interesting (like login scripts, etc).
Then they attempted to clean up behind themselves and logoff. It was all a bit terrifying! I immediately changed every password on the server, and went into full lockdown mode on my SSH access. Previously I had not locked it down to be accessible via only my IP since I am on the move so much. Well this convinced me that I had to lock it down. So now I use a dynamic IP service (dyndns.org) to help me still SSH to my site when I'm moving IP addresses.
I spent weeks combing my site, logs, scripts, files, cron jobs, htaccess, config files, startup scripts, etc looking for something they may have left behind. So far I have not found anything. I'm hoping they were just being curious and planning to come back another day to do damage... since they didn't seem to do any visible damage this time.
BUT YOU NEVER KNOW FOR SURE since they did obtain ROOT access, they could have done anything and simply lead me to believe they were just browsing around. I still don't know for sure to this day. My ISP said I should buy a new server and migrate over and have the existing one wiped clean. I am not in a position to do that since I have years invested in setting this one up just the way I need it...
Unfortunately that may be a decision that comes back to haunt me... let's hope not.
But the moral of this story... getting your server hacked is a very real issue. Do not laugh at hackers that are trying to brute force their way in... they can (and will) eventually get in. Take steps to block them as soon as you see it happening... which was my biggest mistake. I figured my random password was unbreakable. Well they broke it.
You skipped some obvious things hackers have done which don't exactly effect your traffic but effect your income such as replacing your AdSense or affiliate IDs.
Max, if they have compromised your server, you're really, really should backup, wipe, and reinstall.
It seems you're aware already that once they've got root they can modify logs to look like whatever they want, change what commands do (ssh may not ssh anymore. It may send your password to them, then ssh). And a host of other nasty things.
I wouldn't be able to sleep knowing someone had root at one time - it's just unknowable what they've left behind. And as your ISP noted, the only real fix is backup, wipe, and reinstall.
|Defacement Hacks: These are really "old school" - they're more like online graffiti than anything else. The hacker usually just wants to brag that they got you, and they put up a message on your pages for all to see. Well, that's easily detected because you just go to your pages and there it is! |
Not always easy to detect: We recently took over management of an existing site for a client, and found it had 'Defacement Hacks'. Interestingly the owner had no idea and was familiar with her site (from the front end). The defacements were all in image folders that usually don't have html pages in them. The hacker had probably used XSS (Cross site scripting) via a low quality enquiry form on the site, to create pages in the image folders, the pages were all variations of the index page e.g. index.htm / index.php / index.asp... etc They were all harmless and graffiti-like e.g. 'Fred the Hacker was here'.
I am currently trying to compile a list of hacker access methods, to understand better what to avoid/check/secure. i.e. how the hacker manages to gain access in the first place, to do the stuff in Tedster's list. Here is my list so far (any aditions, amendments welcome)
- XSS - 'Cross site scripting'
Solution: Escaping and filtering in the form script.
- 3rd party Aps not updateded / patched e.g. WordPress, AWStats
Solution: don't use 3rd party Aps if you can avoid it. Keep them updated.
- Can you view a password folder or private content in the browser?
Solution: protect with htaccess
- Hosts using 3rd party aps with vulnerabilities: (e.g. CPanel, VDeck)
Solution: don't use such hosts.
- FTP with default passwords
Solution: Strong password + Change it every few months.
Perhaps one of the most efficient attacks is to hijack the browser of the site owner either via some clickjacking or active control/plugin.
Many site owners completely forget about that. For an attacker this approach is superior because:
1. Site owner trusts his site or his accounts. Active content filtering can be completely off.
2. With his hijacked browser now accesses his admin, cpanel, database, external accounts, mail, you name it.
Ex: when you login into your google accounts, don't you have these active content/scripts running? Otherwise how you gonna see all these nice calendars, maps and analytics results.
And you may see a month later a warning from your anti-virus program about it. But by then its too late.
So in essence the site owner may give full control to the attacker. It's ironic but common.
Yep had a site hacked once didnt have a backup copy doh !
A server that one of my sites was on got hacked back in May, and was used for Warez as well as #*$!ography. The same month, massive site penalties, loss of traffic, and my Adsense revenues dropped 70%.
Sent three reinclusion requests to G through Webmaster Tools since this summer, no response and still virtually nonexistent in Google. Years of hard work flushed down the drain.
I'm happy to see this thread. Good stuff, tedster. People should really learn to look in their own back yard sometimes.
I've gotten a lot of stickies and mails throughout the past few years claiming this or that "incident" with some "offending site" or with Google; and a very large percentage of the observed ranking problems could be traced back to bad configuration of the site in question.
I'm not using the word "hacking" as my first choice though, as a lot of these symptoms can be caused by ignorant or clumsy webmasters without any interference from third parties at all. Or, even webmasters trying to "cheat a little" and blame somebody else. No names, no examples.
Not only an excellent post - an excellent resource tool / checklist for those that frequently are placed in situations of diagnosing new clients with inherent problems in ranking.
Wasn't there a sweet script that Brett posted a while back on if someone was trying to get to a robots.txt blocked directory or file, then to just auto block them from your servers? Am trying to find that in the forums and am coming up empty.
A new thread at [webmasterworld.com...] mentions that the server hack they suffered did not change the time/date stamp for the altered files. So keep that in mind when searching for possible trouble, too.
Is there any alternative to Xenu Link Sleuth that implements the following features
1. Ability to crawl with any user-agent (googlebot is of a special interest, of course)
2. Respects robots.txt (otherwise it crawls too many pages that I absolutely do not care about)
3. Respects the "nofollow" tag, and reports the "nofollow" tag when found
Xenu lacks these features and does not allow to discover many potential security problems that you mentioned above. e.g. cloaking.
Post is excellent but this is more on the on page hacking. what to do when you dont see any changes like hacking for placing links in your content, allowing all indexing through robots, no unkown external links placed, content is clear. i have checked the site completely except log, seems there is no issue at alll. but still my 6 yrs old pr 4, site is gone from top to bottom in just 4 days. 60% traffic reduced from 1 feb to 5 feb.
since we have a big but static site and most of the pages are not changed on regular basis. can consider the main index or section index, almost 150 pages regularly changed out of 3500. How do we solve the 304 sc-status issue in the log. I just check the log for my site and i found that when bot visit my site, it is 304 most of the pages.
i read somewhere that says 304 is our friend.. but i am not sure about this.. seeking help
You can give Xenu limitations on where and what it crawls you just need to be specific.
Xenu isnt really a security tool - its a link tool.
Good stuff! thanks Ted.
Here's a solid analysis of a particularly devious hack - offered by Google's John Mueller (JohnMu):
Let's discuss the specifics of that hack in the linked thread, rather than here - thanks.
This is a great post, thanks for bringing this to our attention. As if it was not enough having to worry about maintaining rankings and all the other things that go along with running a busy site or sites we also have to watch out for this stuff. I've had sites hacked more than once in the last year or so. The problem always seems to be the same host and it's always our VPS that seems to get hit. There is a lot to be said for having a good server admin person handy, to be honest I don't know much about keeping this stuff in order and I probably should but who has the time?
Kapow, I've never heard that CPanel has vulnerabilities. Why would large hosting companies use something that was at risk? What platforms do other hosts use?
Hello, I don't know if this thing happening to my wordpress blog had already happened to other bloggers but for me it looks like a new kind of hacking. I still don't know what caused this or how to solve it so if anyone knows the solution, please share.
I found out one of my blog post that was indexed by Google have many pages with the same url but with query strings. All my blog post have an extension of .htm but the rest have this .htm?reyf=140 and a series like .htm?reyf=150, .htm?reyf=152 and .htm?reyf=67 and all the urls are identical. What is troubling to know is those pages have different titles with most of the words like c-a-s-i-n-o and l-o-t-t-e-r-y and when I click the link from the Google search, it redirected to another URL.
I think this caused a keyword ranking dropped and sudden dive of my traffic. Have anyone experienced this?
[edited by: tedster at 2:41 pm (utc) on May 3, 2009]
[edit reason] moved from another location [/edit]
Once someone has hacked into a server - and wordpress makes a common target if the software isn't patched as soon as new patches are released - the sky's the limit on what they might do. Earlier in this thread we discuss the basic steps: delete the hacked files and restore the clean ones, upgrade the wordpress platform, and then submit a reconsideration request explaining what happened and what you did.
Thanks Tedster for this informative post. I don't miss upgrading my wordpress blog and plugins. As soon as the new version was released I immediately upgrade them. I also don't have an idea which files are hacked.
I made some experiment. I tried to remove the wp-config.php to test if the url with .htm?reyf=140 will show an error because every URL on my blog should not work. My whole blog isn't working but the URL is still working and redirecting to an anti-virus site.
I also used the Google webmaster's tools to delete the URL but it was denied because it was considered as a third party website but actually it is my URL.
I'm in the process of reinstalling my Wordpress and I discovered something. It was actually hacked because of a Wordpress vulnerability (It was the new feature of wordpress I'm talking about). I'll go back to post the details after I fixed it.
SERP is back and I think there is no need for request reconsideration since my blog reacts fast enough after removing those bogus URL in the Google index. Speaking of the Wordpress vulnerability, I think it is not actually vulnerability since I'm not sure how the upgrading of Wordpress via admin panel really works. I was thinking that upon automatic upgrading via admin panel, the new version will just overwrite the old files without deleting the wp-admin and wp-includes. If that is the case, then the manual upgrading is better.
So to cut the story short, the hacker uploaded files on my wp-include>js>tinymce>plugins>inlinepopups>skins>clearlooks2>img folder, about 3,900+ files with strange filenames. So deleting those two directories, wp-admin and wp-includes and uploading them again from a fresh copy solved the problem.
| This 34 message thread spans 2 pages: 34 (  2 ) > > |