Welcome to WebmasterWorld Guest from 184.108.40.206
Now the site is an authority site, long time number 1, with sitelinks in the serps.
The only affected area is the www.mysite.com/blog directory as that is where the hidden links are.
The blog part is now not showing in serps for site:www.mysite.com/blog but my main part of the site is ok and still number one.
I have filed a reinclusion request after having removed offending links from the header but had to select www.mysite.com as there was no option in webmaster tools to select www.mysite.com/blog.
Question. Should I be worried? I am not bothered about the blog part coming back as it is a minor part of the site anyway. Perhaps I should not have filed the request!
I am not sure if Google sends emails to anyone about their websites -- that would be awesome customer service from any company. This email is probably a fake.
workingNOMAD, besides removing those hidden links did you apply any available security patches for the blog software you use? This might be an important point for reinclusion if applicable.
Scary, isn't it?
[edited by: Marcia at 3:39 pm (utc) on May 8, 2008]
I don't spent a cent on adwords but adsense does feature and has done since 2004.
I do feel a little honoured that Google did not ban the whole domain but just the blog part of the site. As I said before the blog part is not really important and I have been thinking of winding it down anyway.
The email is no fake and the blog has been dropped from the index as they said it would, pretty much within an hour of me reading the mail!
I have updated the security on the blog software too, thanks for the tip though. Just have to sit back and wait now!
The email was sent to two email addresses, one was email@example.com but the interesting one was a free online email account I set up specifically for that website and is only shown in a jpeg format on the site to stop bots etc.
What I am saying is that is cannot have been an automated email.
By the way it came from 'Google Search Quality (firstname.lastname@example.org)'
What's most scary, IMHO, is the fact that such holes exist in open source-software at all, and how uncritically people are using such frameworks on internet-servers with a highspeed backbone.
Sry, this is a bit OT and has nothing to do with google or their mail.
Blogs were supposed to be the "no-brainer" platform for the average non-tecchie to keep an online journal. Unfortunately as the various blogging platforms became widespread, the required level of brains and owner responsibility reached a higher level.
The web sharks smelled money and blogs became an irresistable target. First it was automated links in the comment areas (that brought us to the ugly rel=nofollow mutation) and now we're dealing with parasite hosting.
I'm glad to hear that Google is being helpful, as they can, but no one should depend on that. The issue is probably too widespread for them to email everyone they detect as being affected.
One interesting part of the report in the opening post is that Google did not remove entire domain from the index, only the blog directory. That kind of precision is quite welcome.
joined:Mar 3, 2003
What's so scary? New vunerabilities are found all the time in both opensource and commercial software programs. The scary part for me is that webmasters ignore security warnings and don't upgrade their software.
My site has been hacked twice and both times it was directly attributed to me running a version that had known vunerabilites. That's what happened here too the OP simply ignored an aging portion of their site.
Recently my website was labled as as hosting badware. I have always ran a clean site and have advertised using the Google Adwords program for several years.
Google would only tell me that they see a malicous code on our site, one that I had trouble identifying.
Then yesterday morning I found a code which I thought looked suspect. It was written in a cypher and originally I thought it was just part of the programming behind the site. After looking at the string of code in more detail I realized that it was a cypher, in fact an easy one in which to decode.
Here is the original code:
And here is what I translated it to:
script var str width height style visibility hidden I frame I frame iframe src http://www.example.com.diamond.i.index/php.out - document - write str substring 68-226 str substring 1-68 script
Heres where it gets interesting.
If you were to go to example.com you would see that it was a spoofed Google Analytics site. Google as of last night has been working at getting that site taken down however from what I can discern it has been up for about three months. I have a screen shot of the spoofed Analytics site. It appears it would ask for a users login information and then capture that information before sending the person through to the Google Analytics site.
I don't know if these issues are resolved however they very well may be. It is also possible that other Google Analytics accounts have been breached like ours may have been.
It is ironic that Google flagged our account as providing malicous code and would not assist us other than verify that the code was still on the site and then it turns out that the code led back to a spoofed Google Analytics site. I've yet to hear much back regarding this but it seems interesting that I recieved notification of data loss on the analytics side during the same time this other issue was going on.
I've asked Google if there has been a security breach and will update this thread once I receive a response.
[edited by: Robert_Charlton at 6:35 pm (utc) on May 14, 2008]
[edit reason] changed to example.com [/edit]
We sent an email to [four different addresses at your domain] and a gmail.com address...with a subject line of Removal from Googles index. I believe if you had logged into our webmaster console at google.com/webmasters and proved that you owned [the website], we also would have left a message waiting for you there as well.
The post also contains an example of the kind of detailed information that Google sent - including a long list of the specific hidden text. Now THAT'S helpful.
Matt confirms that Google tries to reinstate hacked sites in a rapid fashion once the problem is fixed. From what he says, it does sound like a "hacked site" flag gets set and then needs to be removed manually, so Reconsideration Request sounds like an essential part of the process.
Google said the site (blog) would be removed for 30 days. They were right, after 30 days the blog has reappeared, true to their word!
As I mentioned I contacted them to say it was the work of a spammer and I fixed the issue by upgrading the blog software.
The only other thing is that the main site, number one for so long, actually dropped to number three in the SERPS for the main keywords.
I am not sure if this is related to the blog part falling out but anyway traffic has not been affected!
A lesson learned.