homepage Welcome to WebmasterWorld Guest from 54.234.74.85
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

    
Removal from the index - email from Google
wheelie34




msg:3861223
 8:27 pm on Mar 2, 2009 (gmt 0)

My neighbour runs his own site which is hosted here in the UK with one of the major players it's shared hosting from what he tells me. Today he knocked on my door saying google had emailed him and how should he verify it is them, he doesn't have a webmaster tools account or sitmap.xml, I checked his page that the email reffered to and it had been compromised so we assumed it was from Google.

Anyway, the email gave a snippet of hidden links, he definatly didn't put them there as they all point to p1ll sites, he has no php or mysql only 6 .html pages, all had a massive chunk of junk at the bottom just before the closing body/html tags

many lines like this

example.com/upload_files/documents/plain_text.php?sql_error=1&page=2593">low cost p1ll name

My question is, how do the spammers do this and what does he, or his host, need to do to prevent this in the future, he has changed his password.

 

tedster




msg:3861458
 2:42 am on Mar 3, 2009 (gmt 0)

It's called parasite hosting - and it's not just spam, it's criminal behavior in my view, and it has become an epidemic.

These criminals (Danny sullivan called them "crap hats") will exploit any security hole that they can in order to get into a server. That can mean any application that is not up to date with the latest patches. It might be cpanel or vdeck, it might be database or scripting software, there are loads of possibilities for "how" and there's a network of these shady folks that spreads the latest discoveries.

What the the web host needs to do is stay up-to-date on patches and upgrades to any app they are running. The more commonly used an application is that runs on the server, the more it is a target for parasite hosting.

[edited by: tedster at 7:42 am (utc) on Mar. 3, 2009]

texasville




msg:3861513
 5:50 am on Mar 3, 2009 (gmt 0)

I recently had a #1 ranking site for all it's major keywords get cracked along with 2 others I manage on the same server. It was done thru the ftp. That is what my host claimed anyway. They claimed I introduced it but this site had done so well I hadn't touched it in 6 months.
In my case, they did a little trick in my .htaccess file but it seems some hosts have some ftp problems..so make sure you change that password not just your cpanel.
BTW..Google has evidently creamed my #1 site now. So I decided to take this oppurtunity to revamp the site. Make lemonade from the lemons.
It's interesting google gave a heads up on his. Big G obviously thought it wasn't an intentional by the webmaster and must have recognized the pattern. Very interesting.

webastronaut




msg:3861529
 6:35 am on Mar 3, 2009 (gmt 0)

Same thing happened to me and the host found out it happened through cpanel. The crap hat also got my hosting account credit card info and charged up some serious cash.
So it has to be an inside job but the host has not admitted
this yet but I'm having this investigated.
Hacking or I should say cracking seems to be on the rise big time and I think it is from such a bad economy going on everywhere.

AjiNIMC




msg:3861574
 9:29 am on Mar 3, 2009 (gmt 0)

You may like to refer to these 2 articles

[googlewebmastercentral.blogspot.com...]

and

[googlewebmastercentral.blogspot.com...]

wheelie34




msg:3861576
 9:37 am on Mar 3, 2009 (gmt 0)

Thanks for the replies guys, well, I helped him setup a webmaster tools account yesterday and within an hour there was a warning in there, the email did say to check your webmaster account if you have one, to verify the email. We got his password changed and uploaded the original pages then submitted the reinclusion request which stated it may take several weeks, I have just asked him how it was going and he says the warning has gone? does this mean the 'pending' removal has been reversed because he acted quickly?

It's interesting google gave a heads up

The email states (in different words) it looks like a 3rd party has modified your pages, so they seem to know it's not the site owner to blame, further down it also says google would like to keep his site in the index.

He has spoken to his host and of course they say they had no issues and their systems are up to date.

AjiNIMC




msg:3861619
 10:57 am on Mar 3, 2009 (gmt 0)

The email states (in different words) it looks like a 3rd party has modified your pages, so they seem to know it's not the site owner to blame, further down it also says google would like to keep his site in the index.

Last week when we were at Google, Adam spoke about this in detail. He explained how applications like wordpress get hacked now and then. They see this more often that we think. May be this frequent hacks have forced them to believe (and program) that it is a 3rd party.

johnnie




msg:3861628
 11:30 am on Mar 3, 2009 (gmt 0)

Maybe it's the CMS?

wheelie34




msg:3861740
 3:12 pm on Mar 3, 2009 (gmt 0)

It's not a CMS driven site, flat html pages only.

He just popped in and says he out of the index, so I guess he's out for the 30 days they stated, he did submit a reinclusion request yesterday should he just wait now?

Dave_Hybrid




msg:3861750
 3:28 pm on Mar 3, 2009 (gmt 0)

Isn't parasite hosting where you use a user editable page on someones else sites to rank in the serps off the back of their trust. Like a forum page or a squidoo page. This is link injection.

Zamboni




msg:3861759
 3:50 pm on Mar 3, 2009 (gmt 0)

If it's a flat html site it is probably from a Hosting issue/Shared server compromise or a weak ftp username and password or I suppose he might have been phished out of the ftp info. You or the host will pretty much need to search the log files to find out what actually happened, the host should have the knowledge to do it fairly quickly if they care to find out. If they don't care or if it happens again I would definitely switch hosts.

wheelie34




msg:3861956
 7:29 pm on Mar 3, 2009 (gmt 0)

Just got an email from him, he says some pages are already showing the crap again when viewing source so he checked his ftp client to see when they were last accessed, yesterday it said, so it started straight after he replaced the files!

He has emailed his customer support desk, he also said he forgot to mention he has one mysql database, he doesn't edit it through the browser though, he works in phpmyadmin so he's only pulling data to display not pushing it, he has checked the structure and says all looks normal, is there any way it can't be the host?

jdMorgan




msg:3861971
 7:43 pm on Mar 3, 2009 (gmt 0)

For Apache: How can I block blind SQL injection attack? [webmasterworld.com]

More: WebmasterWorld site search [google.com]

Jim

wheelie34




msg:3861995
 8:22 pm on Mar 3, 2009 (gmt 0)

So you think it's an sql injection Jim?

So adding

RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F]

to his htaccess file (using proper pipes) will prevent it?

jdMorgan




msg:3862036
 9:23 pm on Mar 3, 2009 (gmt 0)

If that's the problem, it might help.

You fix what you *can* fix, then pound on the host to fix the rest... :)

If the site has been subject to SQL injection, you will find requests with some or all of those keywords in the query strings of requested URLs in the raw server access log file. Since you state that you know the time that the files were cracked/modified, it should be relatively easy to find these particular requests (if they exist).

However, note that blocking these queryies unconditionally may 'break' the CMS/database functions. Again, look at the raw log files to see if legitimate requests can be discerned from illegitimate ones... by REMOTE_ADDRess, by HTTP_USER_AGENT, etc. If so, add RewriteConds to the rule so that only legitimate requests are allowed. (Note that I didn't say, "so that illegitimate requests are blocked... It's a mind-set thing, and an important one, to approach security from the standpoint of what you want to allow, not what you want to block; The ramifications are quite different for errors of omission in these two approaches.)

Jim

dstiles




msg:3862168
 11:35 pm on Mar 3, 2009 (gmt 0)

One of my servers was infiltrated a couple of years ago. No site damage but a handful of backdoors dumped on the server.

I never did find exactly how it happened: I know it wasn't SQLI, there was no cpanel and it's not commercial CMS. Infection did recur a couple of times until I did some serious server-cleaning - taking off a lot of very dodgy stuff that LOOKED like genuine DLLs (MS/IIS server) plus a few that were probably genuine.

I THINK the original backdoor was uploaded by FTP - there was an exploit in the server I used at that time that may have let someone in without a password (all accounts were login, not anonymous).

I changed FTP server and now force almost all my clients to use SSL access, giving them 12+ character passwords. Whether FTP is an exploit vector or not I strongly recommend this if possible.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved