Welcome to WebmasterWorld Guest from 54.196.126.39

Forum Moderators: Robert Charlton & andy langton & goodroi

Message Too Old, No Replies

Possible Hijack has caused almost complete loss of Rankings

     
10:03 pm on Mar 26, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts: 63
votes: 0


Starting March 12th, I saw our Google traffic drop to almost nothing overnight. I started playing detective and found the following in Webmaster tools:

in Diagnostics > Web crawl

Web crawl errors (404 errors) with URLs such as the following:

http://www.example.com/06%23.-IMEI.phtml
http://www.example.com/08800.phtml
http://www.example.com/0x-black-list.phtml
http://www.example.com/1%2F2-open-seals.phtml
http://www.example.com/1-*.avi,-*.wmv.phtml
http://www.example.com/1-6-scale-rc-car.phtml

The full list included over 6,454 404 errors! They seem to have started around Mar 10, 2009.

I also performed a site:example.com search to see indexed pages and found over 1,870 pages (whereas webmaster tools confirms only around 153 pages). After the majority of our pages in the first 10 or so SERPS there are pages such as the following:

www.example.com/requestinfo/hentai%20download%20free%20bittorrent%20.html

that redirects to

spammerdomain.tld/search.php?q=site%3Awww.example.com&said=e&d=10

I am not really sure what has happened but our site (still showing PR5) has lost almost all traction in Google. However, our rankings in Yahoo seem still solid with tons of rankings in the top 5 positions, sometimes multiple listings. We were even stronger in Google before this happened.

Can someone shed some light on what has happened? I am desperate to receover as the phones have lieterally stopped ringing :(

[edited by: tedster at 12:17 am (utc) on Mar. 27, 2009]
[edit reason] switch to example.com - it cannot be owned [/edit]

12:21 am on Mar 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


I also performed a site:example.com search to see indexed pages and found over 1,870 pages

I'd start right there. Your server must be performing the redirect, so your server has been hacked. Find and fix that problem.

12:23 am on Mar 27, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts:63
votes: 0


This site is hosted by a reputable hosting company...Do I contact them? How do I go about addressing and fixing this?
12:25 am on Mar 27, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts:63
votes: 0


Also, the example.com/redirect-pages.phtml do not appear on the server when I login to the FTP site...

Thanks for the help.

12:39 am on Mar 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


If those urls get redirected when a browser requests them, they are redirected by your server. Check for a hacked .htaccess file, perhaps?

Yes, your hosting company may need to get involved, because you not only want to revert to the un-hacked version of your files, but you want to fix the security hole that allowed the hack to happen in the first place. If it's as simple as someone got your password, then changing your password is the fix. In my experience many hosting companies would like to tell you that and then have the whole thing to go away.

But there's a good chance that something about your hosting platform is out of date and recent patches are not yet installed. If you cannot update your server software yourself, then your hosting company will need to do it.

12:47 am on Mar 27, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts:63
votes: 0


And from what I've described above does that seem like the culprit? For my own research purposes, what would this type of attack be called? Is there a general way to protect against this?

If this is resolved, would it be something that we can recover from? Would a reinclusion request be necessary?

Also, as I stated, Yahoo and MSN rankings seem unaffected.

12:55 am on Mar 27, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts:63
votes: 0


OK, just found some files in a folder on the site that were not put there by me. I tried to delete them and they stated:

550 Could not delete package.php: No such file or directory
: /public_html/targetedfolder/badfile.php

What now?

12:58 am on Mar 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


Before you can name the hack you've got to find it - then you can describe what happened. Yes, you may need to do a reconsideration request. It can't hurt and it could accelerate your recovery in the rankings.

See this discussion for lots more: How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]. It can always be referenced in the Hot Topics area [webmasterworld.com], which is always pinned to the top of this forum's index page.

1:09 am on Mar 27, 2009 (gmt 0)

Senior Member

joined:Aug 12, 2004
posts:1781
votes: 0


What now is that you go to your host. How did these files get there? How can we prevent this from happening again?

You've obviously been hacked. More likely your server's been hacked and you just happened to be in the wrong place at the wrong time.

Make them fix it or find better hosting.

1:11 am on Mar 27, 2009 (gmt 0)

Senior Member

joined:Aug 12, 2004
posts:1781
votes: 0


In fact I'd go ahead and lose that host anyway...
1:30 am on Mar 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3547
votes: 19


Try changing the name of the folder so the path is broken
1:44 am on Mar 27, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts:63
votes: 0


Calling them now! Thanks...

Can someone tell me what causes Google rankings to drop if my landing pages that have ranked so well for ages are still "relevant" to the search query? Is it a penalty of some kind for linking to spammer sites?

2:06 am on Mar 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


That's a good assumption.
3:29 pm on Mar 31, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts:63
votes: 0


update: a script was installed somehow in a folder on our site that caused Google to see us with spammy redirects. We cleaned them up, tightened the chmod settings and I submitted a removal request to remove this folder from index (it's only a form, not a landing page).

Now our rankings are toggling between the positions we had and #9 or further. How long should I expect this alternating, almost daily fluctuations? Should a reinclusion request be submitted, or is that overkill at this point?

3:36 pm on Mar 31, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


If you found and cleaned up a server hack - and took steps to prevent future hacks - I would definitely submist a reconsideration request and include those details. It can't hurt, and it may speed your site's recovery.
5:20 pm on Apr 1, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 22, 2005
posts:63
votes: 0


Done, will keep you posted of the time frame for recovery.