homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

Google SERPS hijacked in UK. My domain listed in green, but clicks go to another site!

 2:33 pm on Sep 22, 2012 (gmt 0)

I just got a message from a reporter in the U.K. doing a story on serps hijacking, since my site was affected. I couldn't find anything about this issue on WebmasterWorld or in Google, but I could have missed it, since both WW and the web are pretty big...

Anyway, on Google U.K. (google.co.uk) my site is listed in the organic results on page 2...sort of. The result shows my domain name in green, and the additional links under the snippet are all links to pages on my site, and if you hover over any link (the main one or the supplemental ones), the status bar in my browser shows that the link will go to my site.

But the title of the result and the snippet are from the hijacker's site, and if you click the result, my domain shows in the address bar briefly, then the browser is somehow redirected to the hijacker's site.

I tried to check the Page Source to see if there were anything screwy in the link, but the text on the page appears to have been generated by Javascript and so the SERPs are not in the source.

My site doesn't show up for the [specific keywords] search in Google U.S., or in Bing U.K.

Now that I finished typing this, I checked again and a click on the SERPs result does go straight to my site, but a few minutes ago it certainly didn't.

Is this a known exploit, and if so, what is the name for it?

[edited by: Andy_Langton at 3:13 pm (utc) on Sep 22, 2012]
[edit reason] No specifics, please! [/edit]


Andy Langton

 3:16 pm on Sep 22, 2012 (gmt 0)

If the link categorically goes to your domain name (and not a slight variation), then the symptoms point at hacking or malware.

The specific type of hacking that would explain this is where the hacker inserts javascript into your pages, which then redirect at random. Try the safe browsing diagnostic to see if theere are any clues, otherwise you need to have a look at the actual code of your site (not view the pages) to check for anything suspicious: [google.com...]

If it's malware, then that would normally be installed on your own PC, usually at the browser level. This is easy to verify by testing with an alternate machine you can be certain isn't compromised. It doesn't sound like it will be the case here as a third party informed you of it.

Incidentally, here's a decent discussion on hacked site redirecting: [webmasterworld.com...]


 3:41 pm on Sep 22, 2012 (gmt 0)

Had something similar when my htaccess was hacked a while ago. Links from google were redirected but my site was fine when accessed directly - so took me a while to find.


 4:28 pm on Sep 22, 2012 (gmt 0)

Had this happen to my site as well. They have injected redirects into your code. Do you have a backed up copy of your website? You could re upload that or go into the code and clean it up. Once you re upload the site change all of your passwords immediately.


 5:53 pm on Sep 22, 2012 (gmt 0)

I would firstly check your .htaccess file to see if it has been hacked.

Robert Charlton

 6:57 pm on Sep 22, 2012 (gmt 0)

Here's also a fairly recent blog post by Google's Matt Cutts on how to detect and guard against hacking, with links to some specific Google resources....

Example email to a hacked site
http://www.mattcutts.com/blog/example-email-to-a-hacked-site/ [mattcutts.com]


 7:32 pm on Sep 22, 2012 (gmt 0)

I'm sorry, I left out one crucial detail:

If I type my domain name into my browser's address bar, I go to my site just fine. If I click my listing in the U.S. Google SERPs, I go to my site just fine. It's only when I click the weird listing of my site in the Google UK serps that the redirect happens.

My site has not been hacked. My .htaccess hasn't changed in four years (and I just double-checked its contents to make sure). My home page hasn't changed in months (reconfirmed). This isn't a malware issue. I have zero history or evidence of malware on my computer, and the reporter in the U.K. is having the exact same issue. I'm not using Wordpress or any other off-the-shelf software. My site isn't dynamic, no databases, etc.

The issue is clearly not on my end. There's something weird going on in the Google UK SERPs. The U.K. reporter is clearly onto something.



 7:57 pm on Sep 22, 2012 (gmt 0)

Although we haven't heard much about this lately, your symptoms sound very much like some kind of DNS Cache Poisoning [webmasterworld.com]


 8:30 pm on Sep 22, 2012 (gmt 0)

Yes, that sounds exactly like what it is. Let's see if I understand this:

* When a user clicks a link, the user's ISP checks a local DNS server to find the domain's IP address. There are thousands of DNS servers all over the world, and there's no telling which DNS server the ISP will use.

* A hacker breaks into a DNS server's cache and changes the records, changing the IP address for example.com from the real IP address to some rogue site's IP address.

* Most users don't see any problem, but users whose ISP gets its IP info from a hacked DNS server will get directed to rogue sites when they click links to legitimate sites.

Do I have that right? If so, it seems like there's nothing I can do, since the compromised DNS server(s) are unknown to me and out of my control.

Andy Langton

 10:25 pm on Sep 22, 2012 (gmt 0)

I'm not sure this explains it, unless it is your DNS servers that are poisoned:

the title of the result and the snippet are from the hijacker's site

This means that *Googlebot* were sent to the attacker's site at crawl-time. You can probably check the DNS they will have received using their public DNS (https://developers.google.com/speed/public-dns/docs/using).

Another check would be to use 'fetch as Googlebot' in GWT to see what content they actually receive.


 12:44 am on Sep 23, 2012 (gmt 0)

Okay, I took a closer look, and I did find evidence of a hack. But it's still far from clear to me exactly what's going on.

* My home page is "index.html", but I found the file "lndex.php" on my server, that I didn't put there. The first character is a lowercase "L", not a capital "i". I have no idea what this naming scheme accomplishes.

* Opening the file, it's the same as my real home page, except for the following code inserted at the very top, which I don't know how to decode.

@preg_replace("\x26\50\x5b\136\x3c\135\x2b\51\x26\145\x69\163" [snip]);
exit(); ?>

* The modification date of the rogue lndex.php file is May 3, 2005. But the contents of the file are from Nov. 2011, the last time I edited my index.html. Did I get hacked seven years ago or recently? If recently, the hackers went to the trouble of changing the filedate on the server?!

* Andy has done a lot of research on this for me behind the scenes. (Thanks!) One thing he found was that my site is serving a weird cookie, which likely is used to determine who gets the real site and who gets redirected, which could explain why I haven't been redirected after my initial click in the Google U.K. SERPs.

* Knowing that I got hacked, I took the following precautions:
-- Moved "lndex.php" above the wespace
-- Changed the passwords for my shell access, root access, and web panel access.
-- Will notify my webhost.

(1) What does the inserted code do?
(2) Did the attack likely happen seven years ago or recently, and if recently, they actually changed the filedate?
(3) How do they get Google to see the "lndex.php" file as the main file for the site?
(4) What more security steps should I take, if any?

[edited by: Andy_Langton at 10:43 am (utc) on Sep 23, 2012]
[edit reason] fix horizontal scroll via linebreaks, snipped code [/edit]

Andy Langton

 12:54 am on Sep 23, 2012 (gmt 0)

It's a heavily obfuscated script, which attempts to include the following file:


First step is to try to identify any and all files associated with the hack. One way to do that is to search for files with the same creation date as lndex.php

lndex.php is likely shown because it is either the default index file on your server, or it was added as a DirectoryIndex directive in htaccess.

[edited by: Robert_Charlton at 4:28 am (utc) on Sep 23, 2012]

[edited by: Andy_Langton at 10:44 am (utc) on Sep 23, 2012]


 1:59 am on Sep 23, 2012 (gmt 0)

they actually changed the filedate?

filedates can be changed / faked..requires a light touch..

( was even mentioned here [webmasterworld.com] over 6 years ago )

Searching that piece of code in your msg:4498700, minus the @preg_replace

Gave me the first 414 I have had from Google..

414. Thatís an error.

The requested URL /search... is too large to process. Thatís all we know.

Putting an old date on a file is one way that hackers use to slide it past your attention, old dates to most people mean "must have always been there , don't delete it or mess with it" ..ditto the disguised "l" for "i" and similar tricks..even involving other alphabets sometimes..

You may find traces of recent probes to see what was vulnerable on your site in your 404 logs..( then again most sites are under a constant barrage of probes for vulnerabilities ) ..one way to avoid hacks is not to use "default" names for config type files and admin type files..most probes are looking for default setups ..especially for the more common CMS types..

[edited by: Leosghost at 2:20 am (utc) on Sep 23, 2012]


 2:20 am on Sep 23, 2012 (gmt 0)

If I type my domain name into my browser's address bar, I go to my site just fine. If I click my listing in the U.S. Google SERPs, I go to my site just fine. It's only when I click the weird listing of my site in the Google UK serps that the redirect happens.

That's exactly what denisl's post described. You can never duplicate the error because you're typing in the address without referer, and of course the googlebot also comes in without referer. The redirect only happens when the referer is google-- or possibly other search engines as well.

The first character is a lowercase "L", not a capital "i". I have no idea what this naming scheme accomplishes.

It prevents the fake "lndex.php" file from overwriting a real "index.php" if there happens to be one-- another way to keep you from spotting the attack if you put in your page request manually.

I assume that by now you have fine-tooth-combed your htaccess or config file, whichever applies.


 2:22 am on Sep 23, 2012 (gmt 0)

Bingo. Initially I didn't think that .htaccess had been modified, but I just found (and removed) this line:

DirectoryIndex lndex.php index.html index.htm

The file modification date was July 8, 2008.

I found the file in question and sequestered it. (The whole "log" directory, actually.) The directory has a modification date of 9/14/2012, as do the file contents.

Andy's advice to look for files with the same modification date as those associated with the hack was invaluable. I found several more. Then I broadened the search to look at all files changed in the last month, and all .php files, and found some more. I scrubbed them all and then changed my password *again*.

Incidentally, one of the files is filled with code comments about "exploits" and "for your hacking pleasure", etc.

My host helpfully ran their own scan, which finds things like old software, files/folders with bad permissions, etc. I removed an ancient WordPress blog that I haven't used in years based on that report.

By the way, this hack spanned multiple domains. My file structure is /home/user/name/domainname, with several domains under the same username. The hackers had files from one domain loading files from another.

I apologize for my initial insistence that the problem wasn't on my end. I couldn't have been more wrong about that.


 2:44 am on Sep 23, 2012 (gmt 0)

This may be of use ( various methods ) if you want to set up a system that will notify you when files are modified on your server..can let you know about hacks and intrusions as soon as they happen, prevents you from having visitors redirected or serving illegal pron etc from within your site..


No connection with them .. but I approve of their site :)

Incidentally, one of the files is filled with code comments about "exploits" and "for your hacking pleasure", etc.

Indicates that the hacker was probably using something that they didn't write themselves..a "found" or a "purchased" tool from the darkside ..some have loads of "comments" ..one way to ID who wrote the code ( sometimes )..like looking inside the hex code on a virus..( some skiddies even leave their desktop names and other identifying factors, in their hex code etc ;)..gets some of them caught..


 3:04 am on Sep 23, 2012 (gmt 0)

Webmasters are quick to add dozens of addons to their sites, including some that enable live php to be executed by those addons, so I'm surprised this doesn't happen more often.

Wait, maybe it IS happening often but if you don't regularly check your site by checking your own links from Google from various proxy servers you'll never know.

Get checking.


 8:03 am on Sep 23, 2012 (gmt 0)

In my case it was my wife who alerted me. She is one of those who never accesses anything directly - just types everything into Google.
As for the htacccess file - I didn't see what was in it. In my panic, one of the first things i did was to re-upload the file and replace what was there. That was a year or two ago and have had no further problems.

I shall look at Leosgost's link - sounds a very good idea.


 1:23 pm on Oct 1, 2012 (gmt 0)

I seem to have another example hmm now shall I out the site that is benefiting on twitter or use my political contacts.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved