homepage Welcome to WebmasterWorld Guest from 23.23.22.200
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

    
Possible Hijack has caused almost complete loss of Rankings
chazeo




msg:3879666
 10:03 pm on Mar 26, 2009 (gmt 0)

Starting March 12th, I saw our Google traffic drop to almost nothing overnight. I started playing detective and found the following in Webmaster tools:

in Diagnostics > Web crawl

Web crawl errors (404 errors) with URLs such as the following:

http://www.example.com/06%23.-IMEI.phtml
http://www.example.com/08800.phtml
http://www.example.com/0x-black-list.phtml
http://www.example.com/1%2F2-open-seals.phtml
http://www.example.com/1-*.avi,-*.wmv.phtml
http://www.example.com/1-6-scale-rc-car.phtml

The full list included over 6,454 404 errors! They seem to have started around Mar 10, 2009.

I also performed a site:example.com search to see indexed pages and found over 1,870 pages (whereas webmaster tools confirms only around 153 pages). After the majority of our pages in the first 10 or so SERPS there are pages such as the following:

www.example.com/requestinfo/hentai%20download%20free%20bittorrent%20.html

that redirects to

spammerdomain.tld/search.php?q=site%3Awww.example.com&said=e&d=10

I am not really sure what has happened but our site (still showing PR5) has lost almost all traction in Google. However, our rankings in Yahoo seem still solid with tons of rankings in the top 5 positions, sometimes multiple listings. We were even stronger in Google before this happened.

Can someone shed some light on what has happened? I am desperate to receover as the phones have lieterally stopped ringing :(

[edited by: tedster at 12:17 am (utc) on Mar. 27, 2009]
[edit reason] switch to example.com - it cannot be owned [/edit]

 

tedster




msg:3879760
 12:21 am on Mar 27, 2009 (gmt 0)

I also performed a site:example.com search to see indexed pages and found over 1,870 pages

I'd start right there. Your server must be performing the redirect, so your server has been hacked. Find and fix that problem.

chazeo




msg:3879763
 12:23 am on Mar 27, 2009 (gmt 0)

This site is hosted by a reputable hosting company...Do I contact them? How do I go about addressing and fixing this?

chazeo




msg:3879765
 12:25 am on Mar 27, 2009 (gmt 0)

Also, the example.com/redirect-pages.phtml do not appear on the server when I login to the FTP site...

Thanks for the help.

tedster




msg:3879775
 12:39 am on Mar 27, 2009 (gmt 0)

If those urls get redirected when a browser requests them, they are redirected by your server. Check for a hacked .htaccess file, perhaps?

Yes, your hosting company may need to get involved, because you not only want to revert to the un-hacked version of your files, but you want to fix the security hole that allowed the hack to happen in the first place. If it's as simple as someone got your password, then changing your password is the fix. In my experience many hosting companies would like to tell you that and then have the whole thing to go away.

But there's a good chance that something about your hosting platform is out of date and recent patches are not yet installed. If you cannot update your server software yourself, then your hosting company will need to do it.

chazeo




msg:3879783
 12:47 am on Mar 27, 2009 (gmt 0)

And from what I've described above does that seem like the culprit? For my own research purposes, what would this type of attack be called? Is there a general way to protect against this?

If this is resolved, would it be something that we can recover from? Would a reinclusion request be necessary?

Also, as I stated, Yahoo and MSN rankings seem unaffected.

chazeo




msg:3879789
 12:55 am on Mar 27, 2009 (gmt 0)

OK, just found some files in a folder on the site that were not put there by me. I tried to delete them and they stated:

550 Could not delete package.php: No such file or directory
: /public_html/targetedfolder/badfile.php

What now?

tedster




msg:3879791
 12:58 am on Mar 27, 2009 (gmt 0)

Before you can name the hack you've got to find it - then you can describe what happened. Yes, you may need to do a reconsideration request. It can't hurt and it could accelerate your recovery in the rankings.

See this discussion for lots more: How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]. It can always be referenced in the Hot Topics area [webmasterworld.com], which is always pinned to the top of this forum's index page.

wyweb




msg:3879799
 1:09 am on Mar 27, 2009 (gmt 0)

What now is that you go to your host. How did these files get there? How can we prevent this from happening again?

You've obviously been hacked. More likely your server's been hacked and you just happened to be in the wrong place at the wrong time.

Make them fix it or find better hosting.

wyweb




msg:3879801
 1:11 am on Mar 27, 2009 (gmt 0)

In fact I'd go ahead and lose that host anyway...

bwnbwn




msg:3879812
 1:30 am on Mar 27, 2009 (gmt 0)

Try changing the name of the folder so the path is broken

chazeo




msg:3879815
 1:44 am on Mar 27, 2009 (gmt 0)

Calling them now! Thanks...

Can someone tell me what causes Google rankings to drop if my landing pages that have ranked so well for ages are still "relevant" to the search query? Is it a penalty of some kind for linking to spammer sites?

tedster




msg:3879830
 2:06 am on Mar 27, 2009 (gmt 0)

That's a good assumption.

chazeo




msg:3882485
 3:29 pm on Mar 31, 2009 (gmt 0)

update: a script was installed somehow in a folder on our site that caused Google to see us with spammy redirects. We cleaned them up, tightened the chmod settings and I submitted a removal request to remove this folder from index (it's only a form, not a landing page).

Now our rankings are toggling between the positions we had and #9 or further. How long should I expect this alternating, almost daily fluctuations? Should a reinclusion request be submitted, or is that overkill at this point?

tedster




msg:3882488
 3:36 pm on Mar 31, 2009 (gmt 0)

If you found and cleaned up a server hack - and took steps to prevent future hacks - I would definitely submist a reconsideration request and include those details. It can't hurt, and it may speed your site's recovery.

chazeo




msg:3883262
 5:20 pm on Apr 1, 2009 (gmt 0)

Done, will keep you posted of the time frame for recovery.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved