Welcome to WebmasterWorld Guest from 54.162.93.137

Message Too Old, No Replies

Possible Hijack has caused almost complete loss of Rankings

     
10:03 pm on Mar 26, 2009 (gmt 0)

5+ Year Member



Starting March 12th, I saw our Google traffic drop to almost nothing overnight. I started playing detective and found the following in Webmaster tools:

in Diagnostics > Web crawl

Web crawl errors (404 errors) with URLs such as the following:

http://www.example.com/06%23.-IMEI.phtml
http://www.example.com/08800.phtml
http://www.example.com/0x-black-list.phtml
http://www.example.com/1%2F2-open-seals.phtml
http://www.example.com/1-*.avi,-*.wmv.phtml
http://www.example.com/1-6-scale-rc-car.phtml

The full list included over 6,454 404 errors! They seem to have started around Mar 10, 2009.

I also performed a site:example.com search to see indexed pages and found over 1,870 pages (whereas webmaster tools confirms only around 153 pages). After the majority of our pages in the first 10 or so SERPS there are pages such as the following:

www.example.com/requestinfo/hentai%20download%20free%20bittorrent%20.html

that redirects to

spammerdomain.tld/search.php?q=site%3Awww.example.com&said=e&d=10

I am not really sure what has happened but our site (still showing PR5) has lost almost all traction in Google. However, our rankings in Yahoo seem still solid with tons of rankings in the top 5 positions, sometimes multiple listings. We were even stronger in Google before this happened.

Can someone shed some light on what has happened? I am desperate to receover as the phones have lieterally stopped ringing :(

[edited by: tedster at 12:17 am (utc) on Mar. 27, 2009]
[edit reason] switch to example.com - it cannot be owned [/edit]

12:21 am on Mar 27, 2009 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I also performed a site:example.com search to see indexed pages and found over 1,870 pages

I'd start right there. Your server must be performing the redirect, so your server has been hacked. Find and fix that problem.

12:23 am on Mar 27, 2009 (gmt 0)

5+ Year Member



This site is hosted by a reputable hosting company...Do I contact them? How do I go about addressing and fixing this?
12:25 am on Mar 27, 2009 (gmt 0)

5+ Year Member



Also, the example.com/redirect-pages.phtml do not appear on the server when I login to the FTP site...

Thanks for the help.

12:39 am on Mar 27, 2009 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If those urls get redirected when a browser requests them, they are redirected by your server. Check for a hacked .htaccess file, perhaps?

Yes, your hosting company may need to get involved, because you not only want to revert to the un-hacked version of your files, but you want to fix the security hole that allowed the hack to happen in the first place. If it's as simple as someone got your password, then changing your password is the fix. In my experience many hosting companies would like to tell you that and then have the whole thing to go away.

But there's a good chance that something about your hosting platform is out of date and recent patches are not yet installed. If you cannot update your server software yourself, then your hosting company will need to do it.

12:47 am on Mar 27, 2009 (gmt 0)

5+ Year Member



And from what I've described above does that seem like the culprit? For my own research purposes, what would this type of attack be called? Is there a general way to protect against this?

If this is resolved, would it be something that we can recover from? Would a reinclusion request be necessary?

Also, as I stated, Yahoo and MSN rankings seem unaffected.

12:55 am on Mar 27, 2009 (gmt 0)

5+ Year Member



OK, just found some files in a folder on the site that were not put there by me. I tried to delete them and they stated:

550 Could not delete package.php: No such file or directory
: /public_html/targetedfolder/badfile.php

What now?

12:58 am on Mar 27, 2009 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Before you can name the hack you've got to find it - then you can describe what happened. Yes, you may need to do a reconsideration request. It can't hurt and it could accelerate your recovery in the rankings.

See this discussion for lots more: How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]. It can always be referenced in the Hot Topics area [webmasterworld.com], which is always pinned to the top of this forum's index page.

1:09 am on Mar 27, 2009 (gmt 0)



What now is that you go to your host. How did these files get there? How can we prevent this from happening again?

You've obviously been hacked. More likely your server's been hacked and you just happened to be in the wrong place at the wrong time.

Make them fix it or find better hosting.

1:11 am on Mar 27, 2009 (gmt 0)



In fact I'd go ahead and lose that host anyway...
1:30 am on Mar 27, 2009 (gmt 0)

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Try changing the name of the folder so the path is broken
1:44 am on Mar 27, 2009 (gmt 0)

5+ Year Member



Calling them now! Thanks...

Can someone tell me what causes Google rankings to drop if my landing pages that have ranked so well for ages are still "relevant" to the search query? Is it a penalty of some kind for linking to spammer sites?

2:06 am on Mar 27, 2009 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



That's a good assumption.
3:29 pm on Mar 31, 2009 (gmt 0)

5+ Year Member



update: a script was installed somehow in a folder on our site that caused Google to see us with spammy redirects. We cleaned them up, tightened the chmod settings and I submitted a removal request to remove this folder from index (it's only a form, not a landing page).

Now our rankings are toggling between the positions we had and #9 or further. How long should I expect this alternating, almost daily fluctuations? Should a reinclusion request be submitted, or is that overkill at this point?

3:36 pm on Mar 31, 2009 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If you found and cleaned up a server hack - and took steps to prevent future hacks - I would definitely submist a reconsideration request and include those details. It can't hurt, and it may speed your site's recovery.
5:20 pm on Apr 1, 2009 (gmt 0)

5+ Year Member



Done, will keep you posted of the time frame for recovery.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month