homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

Understanding hacked sites that rank in Google

 8:14 pm on Apr 4, 2013 (gmt 0)

It is an unfortunate fact of life that some people are willing to break the law and hack websites to make some money. Google generally does a decent job of mostly keeping this under control. Recently I came across a good mainstream term that was spammed so bad it reminded me of some super spammed adult serps.

How did this hacker take more than half of the first page of results? The hacker didn't just drop some outbound links on the page. The hacker dynamically inserted large amounts of text that was themed to their outbound links. The hacker also rewrote all internal anchor text to make them themed as well. They basically re-themed the entire website. After they re-themed one site, they then re-themed several other hacked sites and formed a pretty nice interlaced network.

I find it interesting to see a really smart hacker at work. This time I found it more interesting to follow Google's response to this hacker. For some reason Google has not removed these sites from the serps. They are not even flagged as compromised sites unless you do a site: search.

I am not 100% sure what is going on since I do not own these sites nor am I the hacker but it has made me sit up and pay closer attention to Google's response to these originally unrelated (now perfectly themed) hacked sites that are ranking for a fairly competitive mainstream serp.

ps Please keep your Google editorializing to yourself. It does not add to the conversation or help us better understand the different ways Google may address hacked sites.



 10:54 pm on Apr 4, 2013 (gmt 0)

I suspect by surrounding the link text the hacker has managed to cloak the links from automated penalties associated with hacker attacks.

In short you have a very clever hacker that Google are most probably searching for a footprint to wipe, either that or offer them a job!


 10:42 am on Apr 5, 2013 (gmt 0)

hacking and retheming an entire external website is more likely to happen on those sites which are not regularly monitored by the web admin. This would in turn mean the hacked sited don't have any brand or professional value and aren't serious online businesses. So, how are these links helping the hacker to rank so high?


 12:34 pm on Apr 5, 2013 (gmt 0)

I do not maintain my personal blog. My blog was hacked 7 months ago, most of the pages were deleted automatically. A week ago I discovered few of my pages have hidden text (the text background was set to white) and when I selected text I found crap links.

Just a WARNING to anyone who is using Wordpress, Joomla or Drupal, these days few people are distributing plugins which will inject their website links in your CMS after few weeks or months. The worst part is you won't see them if you are logged in!

I know these plugins but for the sake of preventing spam I won't name them because anyone can post their website links to blogs who have installed these plugins.


 1:00 pm on Apr 5, 2013 (gmt 0)

Good points, joyj. No one should underestimate the hacking threat to common CMS systems just because it hasn't happened to them yet. Hackers no longer just deface sites - they have a profit motive and they are quite savvy. In fact, analyzing what a hacker did and why can be quite educational about Google rankings. It's no wonder Google sometimes doesn't clean up spam right away and would rather study what the spammers are doing when it works.

Hackers will sometimes cloak their parasite content so that only a googlebot user agent will see it. Seeing these hacks is one of the main reasons that Google created the "Fetch as googlebot" tool.

Last year a friend approached me with a solid business site that had been hacked and lost almost all Google traffic. It was a challenging thing to fix - we had to move to a new physical server box and rebuild the site from a relatively old backup. (I'm happy that there WAS a backup!)


 1:03 pm on Apr 5, 2013 (gmt 0)

this is how major keywords get spammed ... and it still works.

I think it should be best noted that techniques that are using illegal practices (that are said to be illegal by the law) should be called “Crap Hat“ (evil search spam) and those that are only using SEO methods that are against the TOS of the particular search engine should be referred as “Black Hat”.

[edited by: tedster at 1:17 pm (utc) on Apr 5, 2013]
[edit reason] sorry, no personal links [/edit]


 1:29 pm on Apr 5, 2013 (gmt 0)

I tend to use "Crap Hat" for people who don't even know what they're doing and just follow cookie cutter SEO practices. Server hacking and parasite links are straight out criminal - doesn't need any more of a label than that.

this is how major keywords get spammed ... and it still works.

Yes it does - especially when combined with rapid turnover churn-and-burn backlink networks. I sometimes think Google is so focused on getting fresh results that they let the door wide open for these rapidly shifting spam networks.


 1:48 pm on Apr 5, 2013 (gmt 0)

no problem tedster for removing the link. was an article written 1 year back that is still of high actuallity. though it could bring value to the discussion.

so many definitions out there on SEO related stuff nowadays :)

anyway what worked 5 years still does ... if done smarter and with slower velocity in some cases. my 2c


 3:00 pm on Apr 5, 2013 (gmt 0)

I did contact some of the websites that were hacked and it was near impossible to convince them I was trying to inform them for free and not making a sales pitch.

They are legitimate businesses and they are monitoring their websites. The site owners I talked with said they were first informed of this by their customers but they couldn't recreate it so they assumed the issues resolved itself. I was able to walk them through and recreate it by having them use a different browser and going through Google serps. I assume the hacker is using user agent detection or a similar method to hide the hack from site owners.

Another interesting thing I noticed is this network of hacked sites were all using different CMS. In the past, it has been my experience that a hacker would tend to focus on one CMS.


 4:10 pm on Apr 5, 2013 (gmt 0)

this network of hacked sites were all using different CMS

I never saw that before either. So hackers really are getting quite sophisticated and not even focusing on one type of CMS. Keeping ANY software patched up and current becomes even more important.

The site hack I worked with last year was not even on any CMS, it was 1800 hand built html pages. The best we can figure, the hack got in in through some standard application software that the hosting business made available as standard on all accounts. The website owner wasn't even using those options for the website, and didn't even realize they were there on the server. But once the hacker had server access, all things became possible.


 4:38 pm on Apr 5, 2013 (gmt 0)

Keeping ANY software patched up and current becomes even more important.

^^^ This, plus I think it also makes a case for going extensionless (or to a "static" .htm / .html extension), stripping all query strings, "double scrubbing" any POST variables, turning any headers that expose underlying technology off or over-writing them with something generic, password protecting or "internal sub-domaining" anything other than visitor necessary pages, and basically making it more difficult for anyone to know what makes a site "tick" from the back end or even access anything other than URLs that don't allow for manipulation if they do figure it out.

Some of that's probably "over the head" of quite a few people, but unfortunately it looks like it's becoming increasingly important to be up on tech and know exactly what everything that allows external access does.

On one of the sites I've been working on I've gone so far as to correct extensions to .html (that's what they've been for years) regardless of what someone types in or links to (extensionless, .htm, .php, .something-else all end up at .html which is Not parsed as php or anything else), stripped all query strings and Forbidden POST request for any URL that does not actually process a form. All forms are also scrubbed heavily and tend to "error and say call us" a bit more easily than most I've seen.


 5:37 pm on Apr 5, 2013 (gmt 0)

They are also hacking into sites to gain links for the resale of pagerank. I followed a hacker that placed hidden links or dozens of pagerank 8 and 9 sites. I reported the hacker to google and months have passed and the sites are still showing pagerank and they are then selling links on their sites. This case involved many high profile sites that were hacked. Multiple people reported it to google. As best as I can tell Google is not investing much time or effort in search, and instead working on more profitable parts of their business.


 7:04 pm on Apr 5, 2013 (gmt 0)

dozens of pagerank 8 and 9 sites hacked? It would interesting to know those hacked pr9 sites and why they still haven't done anything about it? any clue on what sites are that since it's not possible to post links?


 7:18 pm on Apr 6, 2013 (gmt 0)

dozens of pagerank 8 and 9 sites hacked? It would interesting to know those hacked pr9 sites and why they still haven't done anything about it? any clue on what sites are that since it's not possible to post links?

Yep. I kid you not. The resulting passed pagerank meant the hackers have over 50 sites that are pagerank 7+. These sites have been reported by dozens of people and even right now they are showing pagerank 7. Many of the hacked sites are corrected now, but the history is still evident using tools like Majestic SEO. Sadly, honest people who don't know any better are going to buy listings or ads from these sites not realizing the pagerank is fleeting, and believing that google values the sites because they assigned a high pagerank.

As Matt Cutts said recently, lots of regular people use the Google toolbar, not just webmasters, so Google does value displaying an accurate reading. Unfortunately, what is said versus what is done doesn't always have a direct correlation. I've heard Matt talking more about hacked sites recently, so hopefully he is on to it, but hard to say after months of no action.

Robert Charlton

 7:54 pm on Apr 6, 2013 (gmt 0)

any clue on what sites are

I'm assuming that the power spammers already are aware of the easiest targets, but I still don't want to draw a highly specific road map. Broadly, though... the sites beyond those running on "common CMS systems", the high PR hacked sites I've seen are most often nonprofits and .edus that are well-linked and highly trusted, but which lack budget and/or knowledge to install security patches and to fix things once they've been hacked. The nonprofits are often set up and staffed by volunteers.

One non-profit that I rely on for information seems to get hacked routinely. I've let them know about it, but it's all they can do to keep the organization going. And, as goodroi notes, with many of these sites it's often "near impossible to convince them [we're] trying to inform them for free and not making a sales pitch."

For those with access to Supporters, this thread might be of interest...

Massive Google Pagerank Exploit
http://www.webmasterworld.com/opengoogle/4541795.htm [webmasterworld.com]

Definitely read this Matt Cutts blog post on the problem....

Example email to a hacked site
April 27, 2012
http://www.mattcutts.com/blog/example-email-to-a-hacked-site/ [mattcutts.com]

As Matt notes in the blog post, Google can't install everybody's security patches for them. He does provide a list of resources Google has created to help.


 7:34 pm on Apr 7, 2013 (gmt 0)

I started a thread a few weeks ago to ask about the disavow tool, but the gist of my posts in that thread was to explain that my site had received thousands of external hack links similar to those decribed in this thread. I currently have 8,000 links on my disavow list, mostly from .pl, .ru., and .edu. The strangest part is that some of those hacked pages were appearing for a while in the serps for a competitive financial niche. I haven't checked lately to see if they are still there (mainly above position 100).

The bottom line is, these hacks can rank, and the parasite links inserted may hurt the target if enough are accumulated. I can tell that the hacks in my case came from the same source/network/organization, because they all do a redirect to the same mortgage lead generation page. The fact that Google can't detect the redirect/cloaked content makes this situation even more frustrating.

My thread is here: [webmasterworld.com...]

I definitely hope the next Penguin update takes some of these hacks into consideration. My disavow list was sufficient to the the manual aspect of my penalty revoked; but, I have still seen no ranking improvement after 5 weeks. So much collateral damage is occurring from these large-volume hacks.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved