homepage Welcome to WebmasterWorld Guest from 54.197.19.35
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

    
Canonical Sabotage - how to fix?
otnot10




msg:4222892
 5:43 pm on Oct 27, 2010 (gmt 0)

My companies website dropped from the first page of google's results beginning in August. It has held this position for several years.

I use google webmaster tools and I noticed that my sites keywords were Microsoft,Adobe,windows etc(not at all what the site is about).


What I found was that someone had hosted a page with the http://example.com with hidden links and text. So about three weeks ago I did a 301 redirect to correct the problem and in webmaster tools I verified ownership of both domains and requested they use the www version.

At first the http version in webmaster tools showed the correct keywords but since the last crawl it now shows the hijacked keywords once again.

My question is how do I get rid of the offensive page?

Thanks in Advance

 

scottsonline




msg:4222909
 6:22 pm on Oct 27, 2010 (gmt 0)

Who was the someone? I'm confused so you claimed the hijack site as your own?

otnot10




msg:4222915
 6:32 pm on Oct 27, 2010 (gmt 0)

I don't know who created the http://example.com page. In GWT I confirmed ownership of both http://example.com and www:example.com and did a redirect from http://example.com to the www version.

rowtc2




msg:4222948
 7:31 pm on Oct 27, 2010 (gmt 0)

Maybe site was hacked. If you own www.example.com,you own example.com , subdomain.example.com

otnot10




msg:4222962
 8:09 pm on Oct 27, 2010 (gmt 0)

No it was not hacked, it was hijacked. I did not have a 301 redirect in place so google thought that the page http://example.com was actually www.example.com. But when they crawl http://example.com they get a site that is nothing like the orginal even though when you click on the title it takes you to the www. version.

tedster




msg:4223060
 11:12 pm on Oct 27, 2010 (gmt 0)

when they crawl http://example.com they get a site that is nothing like the orginal

The request for that domain root will still be handled by your server - the description still doesn't quite hang together.

otnot10




msg:4223110
 2:08 am on Oct 28, 2010 (gmt 0)

Ok! There is a page that links to my site that uses my company name as a title. It takes you to my site. But when you view source on the cached page it is full of links to no where but has anchor text to other keywords than what this site is about.

tedster




msg:4223112
 2:24 am on Oct 28, 2010 (gmt 0)

It takes you to my site.

Sorry, it's still unclear for me. So let's not use words like "page" and "website" because they are technically too vague.

When you click on the ranking search result, do you end up on your URL on your domain? Or is this perhaps a proxy server that is serving your content completely from a URL on their domain?

Does a frameset enter into the picture?

At any rate, I'd guess your canonical 301 fix might do the job eventually. They can take several weeks to shake out completely, however.

phranque




msg:4223303
 11:19 am on Oct 28, 2010 (gmt 0)

if you are seeing the hacked page in google cache, you should "fetch as googlebot" in GWT and see what content results from that request.

otnot10




msg:4223381
 2:31 pm on Oct 28, 2010 (gmt 0)

Ted if I click on the search result I end up at my url domain. If I veiw the cached version of the search result it shows text that this domain is under construction. Then when I view the source I see all this hidden code.

GWT fetches the same coding as google cache for the http://example.com but the www version is correct.

otnot10




msg:4223394
 3:07 pm on Oct 28, 2010 (gmt 0)

phranque
GWT veiws the http version as just a bunch of hidden code. The www version also has the hidden code but it is inserted at the middle of the html. The strange thing about that is if you veiw the source of my website you don't see the hidden code. I will delete the offending code from my files and I should be fine.

bwnbwn




msg:4223411
 3:34 pm on Oct 28, 2010 (gmt 0)

I will delete the offending code from my files and I should be fine.
No you will not be fine until you find out how your server was hacked. The server was hacked and code was inserted into your pages.
Taking the code out of the pages will help but are you sure it isn't on other pages in the site. Get some help find the weakness in the server and patch the holes.

They will be back and do it all over again until you harden the server.

otnot10




msg:4223547
 7:37 pm on Oct 28, 2010 (gmt 0)

Why is it when I look at the files on the server there is no hidden code? Yet when I fetch it in WMT it is full of hidden code? And yes every page I have viewed in WMT has the same code inserted.

tedster




msg:4223549
 7:45 pm on Oct 28, 2010 (gmt 0)

Hackers today are devious - they use many technical tricks to hide their parasite content from easy detection. Check out this thread about hacked servers [webmasterworld.com].

phranque




msg:4223788
 10:09 am on Oct 29, 2010 (gmt 0)

there are ways to cloak the content to regular browsers and serve different content to googlebot.
or construct the markup and style such that the keywords and links get indexed without being shown.
the spammy content is most likely in the CMS db rather than in a template somewhere.
the content may be served through a vulnerable plugin that you have installed.
is all your CMS software up-to-date?
there may also be some server directives in the .htaccess file that enable the cloaking.

tedster




msg:4223793
 10:33 am on Oct 29, 2010 (gmt 0)

Google's Matt Cutts just posted some information on Hacker News that might help you. [news.ycombinator.com...]

otnot10




msg:4223917
 3:40 pm on Oct 29, 2010 (gmt 0)

Thanks Ted and Phranque. I think I found the problem. In the htaccessfile I found the following. Is this a redirect?

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_HOST} (^|www.example.com
RewriteCond %{REQUEST_FILENAME} ![^a-zA-Z0-9](css|js|jpe?g|gif|png|zip|swf|doc|xls|pdf|ico|tar|gz|bmp|rar|mp3|avi|mpeg|flv)(\?|$)
RewriteCond %{REMOTE_ADDR} ^66\.249\.[6-9][0-9]\.[0-9]+$ [OR]
RewriteCond %{REMOTE_ADDR} ^74\.125\.[0-9]+\.[0-9]+$ [OR]
RewriteCond %{REMOTE_ADDR} ^64\.233\.1[6-9][0-9]\.[0-9]+$ [OR]
RewriteCond %{REMOTE_ADDR} ^65\.5[2-5]\.[0-9]+\.[0-9]+$ [OR]
RewriteCond %{HTTP_USER_AGENT} (google|msnbot)
RewriteRule ^(.*)$ Images/Images/amex2.class.php [L]
Options +FollowSymLinks

I also found a copy of the root directory in every file on the server all with yesterdays date.

BradleyT




msg:4223967
 5:21 pm on Oct 29, 2010 (gmt 0)

Images/Images/amex2.class.php

What is in that file?

bwnbwn




msg:4224024
 7:34 pm on Oct 29, 2010 (gmt 0)

otnot10 the hacker has complete access to the server so I suggest a complete password change on all passwords on all your accounts Banking everything. Download [malwarebytes.org...] run it on any machine you use and then email the host and ask them to see how the site was hacked.

Remove all the code and keep after your host to see how the server was hit. I have a feeling it was from a trojan on your home/office system, but it is best to find the exact cause.

If it was through ftp then that is from your home/office if it was from an outdated cms as phranque suggested or another software program on the server get them patched.

I would suggest looking at all files on the server there have been reports of hacks coming in from old programs no longer in use on the site but were left on the server.

Most important is find the point of entry.

otnot10




msg:4224045
 8:17 pm on Oct 29, 2010 (gmt 0)

I think your right that it was a trogan. My laptop was infected and that is the machine I use to access our server.

I removed the above code from the htacess file and also found files in the cgi file and removed them. I changed passwords and administrator name ect.

I then used GWT to fetch the site and it comes back clean. But your right also I would like to know exactly how they got in.

bwnbwn




msg:4224081
 9:59 pm on Oct 29, 2010 (gmt 0)

otnot10 think I already know the answer but be best to find out just to be sure.

phranque




msg:4224140
 1:15 am on Oct 30, 2010 (gmt 0)

In the htaccessfile I found the following. Is this a redirect?


you just found:
server directives in the .htaccess file that enable the cloaking

otnot10




msg:4224163
 3:38 am on Oct 30, 2010 (gmt 0)

Sorry but,yes I just found it. I am not as you can tell a webmaster. But willing to learn! Ok bwnbwn. I give. What is your guess?

jimbeetle




msg:4224258
 4:12 pm on Oct 30, 2010 (gmt 0)

I think your right that it was a trogan. My laptop was infected and that is the machine I use to access our server.

It was probably a keylogger. That's why it was suggested above that you change passwords and such to ALL accounts you use that machine to access.

maximillianos




msg:4224273
 4:42 pm on Oct 30, 2010 (gmt 0)

When we got hacked last year we had to move to a new server and use backups of our scripts and data from before the break in. Even then you really can't be sure.

It is very tough to recover from a root break-in 100% unless you start with a clean server and move scripts over manually reviewing them, etc. Same with data.

rowtc2




msg:4224277
 5:35 pm on Oct 30, 2010 (gmt 0)

There are viruses created to upload malicious code (ex a plugin appear on site to install it, hidden links in index.html etc).

First time i hear about uploading on htaccess.

Steps to consider:
1. Reinstall windows on your computer (or scan it with 2-3 popular antiviruses updated)
2. Upload your last good backup
3. Update your CMS (is possible to be hacked via malicious code running on your website forms or url path)
4. Make backups often,hacks happends..

Planet13




msg:4224374
 12:34 am on Oct 31, 2010 (gmt 0)

Avast has a pretty good free virus protection system. they have a scan on boot feature that is supposed to help find viruses better than some other programs (so they claim).

Then after that you can also try esed which is an online scanner that also is supposed to work pretty well.

I hope this helps.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved