Hi smb111, and welcome to WebmasterWorld.

Just by chance, earlier today I saw a post in Search Engine Roundtable where Barry reports something which sounds very similar. As Barry reports it, the sites are hacked and content substituted to another site using iframes....

A hacker hacks some website (let's call it "website A" - the website that is hacked) and he puts there subpages with copies of our (Polish webmasters') websites (let's call my websites as "website B"). The copies are put into an iframe. We (owners of "website B") are not hacked by him, he just copies code of our website and puts in the iframe on "website A". Now, the problem is that Google algorithm in many cases considers the malicious copy put by hacker on website A as THE ORIGINAL and the website B (our website which is the original) disappears from Google results.

We'd need more description from you to tell if this is the kind of hijacking you're experiencing. Here's the thread....

Google Investigating Polish Hacker Who Is Stealing Webmaster Rankings
Feb 8, 2016 - Barry Schwartz
[seroundtable.com...]

You might have to use 'view as Googlebot' to see if any changes were made in your site, as I'm assuming they would have been cloaked for Google only, to avoid easy manual detection.

Barry refers to a discussion in Polish Google Webmaster Help, and nothing is in English, but there is a translation toggle on the page (a weird icon that looks like an X/A in a blue-grey circle, that eventually gets to English). Here are translations of two paragraphs I copied. These translations always have a certain charm, and I think are decipherable....

2.5 we wrote a lot of text. It turns out that in some way, this nasty man created "something" that pretends our site and Google for it grabs and throws our content from search results.

Our content / subpage was replaced hack subsites in Google! And when you come from the presence in Google, you will see a malicious website which earns a hacker, but can not see our content. And this type of pages is at once more.

I assume your stuff isn't in Polish, but you need to see if the described techniques fit what you're experiencing. We don't accept spam reports with specifics on WebmasterWorld... those need to go to Google, best through your WMT... and I assume that Google needs all the details it can get to track these down.

I haven't seen a hijack like this in years. There was a time when they were extremely common, and we all thought that they were gone forever. In the old days, it was my experience that it took a high PageRank domain with a large PR advantage to pull off a hijack like this. I'm interested in what you're seeing, and whether what you're experiencing fits with Barry's description.

It may of course be something else entirely. Please keep us posted. I'm very curious about what's happening.

Hi Robert,
thank you for taking the time to reply.

I am not sure if the issue I have is exactly as you have described. I have spoken a few people with more experience than I, each saying that they cannot fathom exactly how they have done what they have done.

[edited by: Robert_Charlton at 8:35 pm (utc) on Feb 9, 2016]

smb111 - It's difficult to help without a more thorough description of what you're seeing. Possibly, your site has been hacked. Here are some basics on hacking...

Understanding hacked sites that rank in Google
April, 2013
https://www.webmasterworld.com/google/4561487.htm [webmasterworld.com]

Google launches new tool to identify site security issues
Oct 31, 2013
http://www.webmasterworld.com/google/4620501.htm [webmasterworld.com]

If your site hasn't been hacked, conceivably, your problem may be hijacking by a 302 redirect, again something that we once assumed had been cleared up. A clearer description of whose content and whose url you're seeing under what circumstances would be very helpful... exemplified urls, of course.

I'm pressed for time right now, but you might do a site search here, for something like...
[302 hijacking site:webmasterworld.com]

From the above search, I see that this is one of the more recent threads that covers a range of the basic hijacking possibilities...

Scraped? Hijacked? Cloaked? Google throwing a wobbly? How to Solve?
Jan 2015
https://www.webmasterworld.com/google/4729635.htm [webmasterworld.com]

add one thing here check your htaccess file !

Hi
The htaccess is fine ... as indeed the site appears to be. It looks as though everything has happened externally.

When I type "mysite.com" into search the offending site returns first with my sites snippet and the title of my site. When you clickthrough it goes to badsite.com/404-Not-Found.html with a default 404. They havent even bothered hosting a domain anywhere.

Thanks Robert I will check that out.

When I type "mysite.com" into search the offending site returns first with my sites snippet and the title of my site.

smb111, thanks for the additional information, which helps. As you initially described the problem, it sounded like the site might have been hijacked. The additional information makes me believe that this is most likely not a hijacking... though that's not a possibility one could yet rule out completely.

When a site doesn't rank for its own domain name, that's generally an indication that the domain has been heavily penalized, or close to it. It's possible also that Google may not be seeing a site for technical reasons, or that it's been hacked, etc.

What replaces a site in the serps under such circumstances is also generally a separate issue.

Regarding the status of your site with regard to Google, we don't have much to go on with regard to your site's history, how well it's been doing up until now, etc. I see two generally scenarios likely...

a) If the site has been performing well up till now, it conceivably could be that someone mounted a very heavy negative SEO attack, enough to get the domain penalized, and also put up a temporary page or pages to catch traffic. IMO extremely unlikely, but possible.

b) Or it may be that your site was marginal, and penalized by Google, and that the replacement you are seeing is a crappy scraper "domain-name review directory". I've seen this latter pattern fairly often. (Again, hacking is also a possibility).

In your case the directory itself is perhaps also disappearing from the serps and thus the 404s. I can only guess, but I think it's coincidental. It could also be a hacker hiding its tracks.


About these scraper directory sites...
These scraper review sites purport to be reviewing domains, and pull chunks of content from key areas of the "reviewed" site that are most likely to rank (short term, anyway).. title, description, keywords, text at top of page, etc. They usually only rank for rarely searched items like exact domain names, quoted content, longtail keywords, etc. You most likely won't see them rank in competitive search for money terms.

Generally, also, they can only rank if the site with the original content has been penalized or disabled. When Pandalized members report that other sites are ranking for their content, this is almost always what they're seeing... and this is why I'm going into such detail now.

I should add that if a high quality established site got turned off long enough for it somehow to disappear from the Google serps, there would generally be enough references to the domain from other high quality sites that these references would rank above the scrapers.

There might be much more going on than what I'm describing, but these are the clues I'm using. If your site has been a well-performing domain, hacking may be more likely.


For background on Google penalties, now called "manual actions" (as opposed to algorithmic down-rankings), I suggest you look at this Google support page...

Manual Actions - Google Support
[support.google.com...]

The page includes a short Matt Cutts video, definitely helpful here. As Matt explains, Google will remove a site for spam, legal reasons, or for security issues.

The support page also adds...

(If your site’s ranking is impacted by a manual spam action, we'll also notify you in the Message Center in Search Console.)

This suggests that you should be able to check your penalty status, to some degree anyway, online.

Hi Robert

I am almost positive there is not a penalty, I have suffered penalties in the past both of my making and from negative seo. The rankings still exist .. but its not my site that is ranking, its the scraper site that is replacing it.

For example;

In google search results, the page title on the offending URL is - Useful Widgets | Mydomain.com. It contains exactly my snippet but the URL is the offending domain. The offending domain just returns a 404 when clicked.

What this scraping site is doing can be clearly seen when I use [testuri.org...] When I add the offending domain which is copying my content into the search box and I select any browser as user agent, I get a 404 error. But when I change the User Agent to googlebot, I see the source code from my site. So it's showing different content to google and the user.

I imagine they have then done a very crafty redirection because my original pages are slowly being deindexed by google and replaced by the copying domain. I can see new pages from my website being deindexed from webmaster tools every day.

I am almost positive there is not a penalty

smb111 - From your current description, I agree, and I believe it describes a cloaked redirect/hack or hijack of some sort. That may be good news and bad news. Let's see if we can sort out your description to see if it reflects how the serps are behaving.

You say...

When I add the offending domain which is copying my content into the search box and I select any browser as user agent, I get a 404 error. But when I change the User Agent to googlebot, I see the source code from my site. So it's showing different content to google and the user.

The 404 indicates that the "directory" site is set up to avoid normal manual inspection... and if you just enter the url in your address bar, that site you bring up should also get a 404, as it's not the content that's been fed to Googlebot... but is the content the hijackers want to disappear. (smb111, this is what I derive from your description. I hope it matches your experience).

The only user agent that will see your content is Googlebot... and when these cloaked copies of pages show up in the Google serps, clicking on them should also take the user to that content, which may be either...
- a hijack of your entire site...
- or copies or sections of selected pages.

I'm not a security expert by any means, but top-of-my-head thoughts here are...

...whether it's the entire site or just scraped pages might be an important clue to what the hacker is doing. Ditto, whether your pages are seen in their entirety, or modified in some way, could also be an important clue.

Another aspect of this, btw, is whether your site is an ecommerce site of any sort, as conceivably the hacker/hijacker's business model might be to go after private user information, or they could be spreading malware, or whatever. These aren't nice people.

Also, is your site dynamic or static... and is the hijacked content a dynamic reflection of your pages? Or is it a static scrape job? What is your CMS?

Note that if it's your live content that's appearing on the hijacker's site, then it's not simply some scraped content that's being outranked, but it's your whole site that's been hijacked/redirected in some way. I'm guessing that may be the case, particularly as you're seeing pages disappearing on an ongoing basis.

You've said you think your .htaccess and your site "appears to be fine"... and I'm not in a position to argue that, but something at your end is preventing Googlebot from indexing your site. At least check your onpage code with view as Googlebot.

Beyond that, if the whole site has been hijacked, then it may be that either your server or your CMS has been hacked... or, very possibly that your DNS has been hijacked. Definitely have a chat with your hosting company.

Check for dns vulnerabilities by running a dns report on dnsstuff.com...

Also, check WMT for messages about hacking from Google, and check Google's help site...

Webmasters help for hacked sites
https://www.google.com/webmasters/hacked/ [google.com]

I believe in SE Roundtable's article I cited in my first post above, there's a mention of where to report this specific problem in Google. While this may not be exactly the same, I'm suspecting that perhaps a common issue with the Polish example may be some sort of DNS hijacking... and that whether the stolen content is then iframed or cloaked may simply be hacker's choice at the payload end.

Please keep us posted. I do have to bow out of this for a while, but I hope others will jump in if need be.

Hi Robert,

To describe very concisely here what I'm seeing without posting specifics, "mysite-dot-com" is being scraped and replaced by "badsite-dot-com".

50 pages of my site have been de-indexed as google thinks the original come from the offending site.

Entering "www.mysite*com" into the Google search box (with a dot instead of a "*") returns the offending site but with my snippet. It is 404 page, by google is seeing my content.

I hope I am ok posting this URL.
This can be clearly seen by using [testuri.org...]

If I add one of my duplicated pages into the search box I get a 404 error. But change the User Agent to googlebot and you will see the source code from my site. So they are showing different content to google and the user.

Hi,
I am just seeing this thread now. Was it resolved? I am being impacted as well by a proxy hack. I used the google webmaster forum to report it to an SEO expert there. There are at least 2 other examples in the google webmaster forum.
Thanks
Jon

Use this tool to visit your site as Googlebot. Be sure to use the dropdown menu to choose the Googlebot user agent.
http://web-sniffer.net/ [web-sniffer.net]

That tool will help you identify if your site is redirecting Google to another site. It doesn't redirect regular browsers, only Google. The symptom of that kind of attack is a de-indexing of URLs.

Good luck,

mb

Hi Martin,
its a bit of complex one. When you enter my own site into the sniffer tool - it returns 200 ok. So there is no redirection going on it would appear from my site. So the puzzle is how is the scrapping website managing to steal my content and replace my site isn the SERPS.

Do your site and the offending site use the same DNS? This is easy to find out using free tools.

Hi Lucy
no its not the same DNS

Please forgive rushed reply here...

As joncmac suggests, this appears to be a proxy hijack. As I understand it, a user agent pretending to be Googlebot can take over your position in the serps. Though Matt Cutts at Google offered a way to validate Googlebot many years ago, it's been a recurring problem for reasons that go beyond my level of expertise. It has been a while, though, since we've seen so many of these reported.

We had a bunch of discussions on this was some years ago which involved, among others, tedster, jdmorgan, and incredibill. Also, check out other references in this thread....

Proxy Server URLs Can Hijack Your Google Ranking - how to defend?
June, 2007
https://www.webmasterworld.com/google/3378200.htm [webmasterworld.com]

For the record, smb111 and I have exchanged stickies... and while the situation was as he reported it, it has seemed to be in a state of evolution, which has made commenting on the symptoms extremely difficult. I also had only partial understanding of the cause.

This is not a scraping of content, albeit it initially appeared to be, as the error page on which smb111 reported seeing his content when viewed as Googlebot did in fact show his content, and with his rel canonical link removed. This suggested manual scraping.

What I couldn't figure out, though, was how scraping by itself could manage to replace his apparently excellent site in the serps, which is why I asked about penalties, etc. A dnsreport showed no problems.

As tedster in the thread above describes the situation, what we're talking about here...

(is) not about someone directly hijacking your traffic through some kind of DNS exploit. You're also not talking about someone strealing your content, although that can play into this picture at times.

Instead, you are talking about a proxy domain that points to yours taking over your position in the SERPs, sometimes a position that your url has held for a long time....

Worth noting that, at the moment, the problem appears to be clearing up on some of smb111's pages... and also that view as Googlebot no longer shows his page's source code.

Not clear was the motivation... as I couldn't see that the hijacked pages were being used to siphon traffic to an audience that could view it. Possibly, it was simply negative SEO, but I'm not sure that model scales. Many other small details, I should add, didn't really make sense... like the 404 wasn't a real 404, but did give a 404 response... and I assume it was one more level of obfuscation.

joncmac, thanks for providing an important bit of input. I didn't see any iframes, as described in the Polish exploits, at all.

joncmac, please be careful posting links. Visiting that hacked website triggered an antivirus block for malicious software downloads. Without a good AV, some may get infected if they visit that site.

Mods note:
Unfortunately we had to remove the post by jomcmac which gave an example of Google ranking a site that scraped the original content as we cannot out sites nor post specifics for these kind of cases. And glakes is correct in warning about malware.

However, I had a quick look and as it is an interesting example, I will try to describe this here without mentioning identifying details.

The page was cloaked to both, the visitor and to Googlebot.

- The page with stolen copy is served only if the user agent is Googlebot.
- Googlebot then ranked this page above the original (why this was ranked better - who knows. Maybe the spammer even pointed some links to it, internal or external - I have not analysed this).
- So the SERPs now ranks the stolen copy above the original. When the URL with stolen copy is then clicked upon from SERPs, the visitor is 302 redirected to the spam page, but this happens ONLY if there is a referrer (I have not checked if it can be any referrer or referrer has to be Google SERPs).
- If the page is accessed directly (no referrer), the server responds with 404 Not Found - giving the impression the stolen content has been removed for anybody that would check this in any other way than accessing the page from SERPs.

To follow up aakk999's helpful post, I should repeat a comment I'd posted earlier in this thread, emphasis now added...

...conceivably the hacker/hijacker's business model might be to go after private user information, or they could be spreading malware, or whatever. These aren't nice people.

I should have emphasized this more strongly and should have repeated the thought in my last post. I'm repeating it now.

This possibility has since been confirmed by glakes, who spotted a malware download. Again, we do not post specifics here, especially in this kind of situation, for everybody's protection. This is an example of why.

Also worth noting, as aakk9999 points out, there are multiple scenarios possible in the delivery of the "payload", and different types of sites are used.

In the situation that smb111 had reported, the domain "badsite-dot-com" was under private registration to a registrar that harbors a substantial portion of domains that engage in domain squatting and in criminal activity on the web. It's likely that there are multiple networks of these sites under private registration... and it's going to be fruitless to try to file DMCA reports with these registrars.

In other examples that joncmac had posted elsewhere and which, for similar reasons, we could not publish here, the sites he mentioned as carrying the payloads were themselves victims of proxy hijacking.

Please... we are not Google and we are not a conduit to Google. Our Google SEO News Forum Charter [webmasterworld.com...] describes four (4) ways of contacting Google, which are all more efficient than anything that could be accomplished here.

I should add that I'd posted a comment on the SE Roundtable discussion linked to above asking for an English language contact for submitting reports on this problem... and I included a link to this thread.

Additional on fixing the problem at your server below.

Again, I suggest also reading the Proxy Server Hijack thread [webmasterworld.com...] noted above, and following up the included references.

It's very likely that, however different the payloads have been, proxy hijacks have been the method that's being used to allow these sites to hijack your rankings, and there are ways of fixing the setup on your server.

From the thread....

The most fool-proof and low-maintenance method to validate Googlebot requests is to do a double reverse-DNS lookup on the IP address requesting as Googlebot; If the IP address points to a Google hostname, and looking up that hostname then returns the original IP address, then it is legitimate Googlebot request.

This is the method recently recommended by Google in their Webmaster help -- doubtless due to this very problem.

However, some servers are configured such that the Webmaster cannot do rDNS lookups. In that case, just using a simple list of the IP addresses that Google usually crawls from is a viable solution -- IF you keep a sharp eye out for Google changing or adding to the list of IP addresses that Googlebot uses to crawl.

PS: In my experience, you cannot configure rDNS lookups on a shared server. Perhaps others can jump in and describe the considerations involved.

Google Webmaster Tools can give you a bit of insight on this too. Go to your backlinks sections and at random visit a few of the linking pages. If you see some new backlinks that return 404 switch the referrer to be google(plugins about for this) and look again or check the archived copy on something like the wayback machine.

The pages show up as having linked to your site because they didn't properly strip out your internal links.

While this is not a foolproof method, in fact it will only catch lazy thiefs, it can help you find some of the nasties who fool Google. Also, I'm seeing a version of this type of content rankings theft involving a popular free CDN when used on a site in a shared hosting environment. They intentionally misconfigure their own DNS so that their site resolves to another in the shared environment but, using the CDN, manage to rank for the content of the other domain. I have no clue how, but I see it happening so...

I have a couple of guys that are far more intelligent than I working on this and trying different things. I will report back with any news or developments

I have 5 sites affected now that I know of, 2 have been reduced to zero traffic, two are slowing being deindexed and one is the way. There is one slight piece of good news in that on of the sites that were reduced to zero, one or two keywords have come back - this may be just a fluke though.

This is now happening in the usa google search results 101%. Apparently a polish hacker is hijacking the google search results, wow.... here is our research/proof:

<snip>

Wish we had a fix.... This can happen to anyone it seems..

Regards,


Mod's note: Removed link, as situation is unresolved at the Google forum end, the links are potentially dangerous. All this establishes is that there's another report. Again, we are not Google and we're not dealing with specific hacked sites.

PS: We are also going around in a circle, as the Polish hacking was the first thing I mentioned in this thread. Please read from the top down.

[edited by: Robert_Charlton at 12:47 pm (utc) on Mar 2, 2016]

Explanation of removed link above. We don't need more examples... and again, please no specifics. Further specifics will be removed without comment.

There is a fix, and it requires using rDNS or a white-list to validate Googlebot. See thread(s) on topic that have been suggested above.

PS: Barry at SE Roundtable has a follow-up report, and suggests posting information on the Polish thread, where . There's one post at the end of the Polish thread in English which will help orient you to what and where you should be posting. Again, please do not post examples here.

Google Spam Squad On Polish Hacker's Trail Over Vapor URLs
Feb 11, 2016 - by Barry Schwartz
[seroundtable.com...]

Google's Michal Wicinski posted an update in the thread this morning basically saying that the Google team who handles this sort of hacked spam is now on the case. He wrote, based on Google translate, "the team which is responsible for this part of the search engine looks at the problem." //
He did ask for webmasters to help and give more examples:

If you notice other examples Twoch replacement pages for the benefit of the parties, which compromised the examples in the form of vapor URL {URL of your page that disappeared - URL of the page with burglary} will be most helpful and speed up finding a solution.

@robert thank you.. We've already posted our research/proof in the polish thread....Google's Michal Wicinski response seems to be from 02/05/16, not this morning. Sorry for posting the examples above, we didn't realize this was an issue.

We've taken advice from above refernces and added base href and blocked the domain/ip in htaccess. Unfortunately we're on shared hosting and cannot rDNS.... Lastly, we've reported the issue to Google Webspam via the webspam link...

glutimax, thanks for getting back to us. With regard to your "proof" posted, proxy hijacking is a problem that's been going on for many years. Not clear why it's resurfaced just now, except maybe sometime has redeveloped the practice as a business model, or people simply forgot necessary precautions.

We've taken advice from above refernces and added base href and blocked the domain/ip in htaccess. Unfortunately we're on shared hosting and cannot rDNS

From what I remember from old discussions on this, and remember that I am not an IT specialist, there is a problem with simply blocking the domain/ip address... and that is that the hijacker can easily change IPs.

If you are on shared hosting and can't use rDNS, then probably an IP whitelist for Googlebot is a better way of managing this... though the list would require ongoing maintenance. I haven't looked into this, though, but that was jdmorgan's suggestion, which I trust a lot, and is the reason I quoted the passage I did.

Again, I suggest reading that discussion and other references suggested in the thread. Please report back, and thanks again.

I wonder if this is somehow related to the method being used by top1-crapseo to get his domain name into everyone's adsense reports.

[edited by: Robert_Charlton at 12:10 am (utc) on Mar 4, 2016]
[edit reason] Anonymized example domain [/edit]

@JS_Harris - I am guessing they are doing it to generate affiliate click money. The search engine result that is hijacked for our brand name goes to a VERY BAD page in a sub-directory of a root domain. When you search for this root domain @ google, google does have a link under the title saying "this site may be hacked".

I will need assistance with an "IP whitelist for Googlebot" and am looking for hire consultation as I've gotten nowhere much it seems =(

I wish I could show you guys my google webmaster forum thread, it is very detailed...


Regards,