Is this a possible hack? - Google Search and SEO forum at WebmasterWorld - WebmasterWorld

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Is this a possible hack?

tessmac

10:30 am on May 28, 2010 (gmt 0)

10+ Year Member

We have been having problems for a while now ( 3 weeks ) with loss of rankings. Setting aside the MayDay issues I have been looking for possible problems with our site with regards to a possible penalty.

It all started with 100's of links being posted on dodgy forums using the query string mysite.com/?word-word-word. This caused G to actually index the fake url and we have 100's of backlinks to what is effectively the index page. While we have now resolved that problem Tedster suggested that we may have a hack. I have checked via fetch as googlebot, and cant seem to find anything, although apart from something blatant like a url which shouldnt be there, I am not sure what I'm looking for.

Today I decided to check my referer logs.

I have this line : 115.118.***.182 - - [27/May/2010:13:07:54 +0000] "GET / HTTP/1.1" 200 41868 "http://www.verydodgysite.ms/" "-"

Can anyone tell me what this means..is this a sign of a hack...the verydodgysite in question sells a certain medication.

[edited by: tedster at 6:34 pm (utc) on May 28, 2010]
[edit reason] obscured the IP address [/edit]

tedster

6:33 pm on May 28, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

That line from your logs shows your server getting a request for a different domain name. That really shouldn't happen, even if you are on shared hosting.

It does seem to point to a hack, but not a hack of your pages. It would take a DNS hack of some kind, in fact, or at the very least a DNS configuration error. See DNS Cache Poisoning [webmasterworld.com] for some information.

I'd say contact your web hosting and figure out what that's all about. A new IP address might be in order, or a new DNS service or a new hosting service altogether.

apart from something blatant like a url which shouldnt be there, I am not sure what I'm looking for.

That would be exactly the kind of thing you're looking for when you "Fetch as googlebot". Also, check for an unfamiliar iframe in the source code (often at the bottom).

I'd also try the site: operator for any URLs that aren't pages you built. Same thing with any new funky backlinks you can spot - since hackers change pages and then try to promote their parasite content.

leadegroot

9:31 am on May 29, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

The log line looks more to me like a referral - I get hundreds of these everyday. I assume they are hoping for one or both of: a) public logs, so they get a free link & b) the webmaster's interest to click through to see who is linking to them.
So - probably just a faked referral.

If "fetch as googlebot of the mysite.com/?word-word-word page doesn't show anything special then I wouldn't worry particularly about hacking - its equally possible they are just trying to ruin your rankings.

tessmac

4:02 pm on May 29, 2010 (gmt 0)

10+ Year Member

If "fetch as googlebot of the mysite.com/?word-word-word page doesn't show anything special then I wouldn't worry particularly about hacking - its equally possible they are just trying to ruin your rankings.

Well that has in fact happened.

I take it G is looking at this page as both a keyword stuffed url ( each word-word-word is the same ) and also a duplicate content issue as the page displays the index page but with the query string in the url.

tedster

7:38 pm on May 29, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

probably just a faked referral

On second look, yes that is probably right. Normally there would be a filepath immediately following the GET that displays the requested URL on your server - and that's what I thought I was seeing on first look.

leadegroot

10:32 pm on May 29, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

The first obvious steps would be to return a 404 for the mysite.com/?word-word-word page, no matter how much work you have to do to set it up.
(I think in this case a 404 would be better than a 301 to the correct URL - you want to disavow the links, rather than redirect them.
I would give that awhile - at least 2 crawl cycles - and if its still an issue try a reinclusion request, specifying that the links to the mysite.com/?word-word-word page are unknown to you.