Welcome to WebmasterWorld Guest from 54.198.93.179

Forum Moderators: phranque

Message Too Old, No Replies

Website Hacked - Where Are Spam Pages?

Hacker created new pages on site, can't find them, how to delete them?

     
12:50 am on Jun 22, 2010 (gmt 0)

5+ Year Member



Noticed in Google Webmaster Tools a bunch of pages on my site that I didn't create. When I click on the link, the page comes up and the URL still lists my site. However, I cannot find the page in the directory on my server OR in my database. All links on the new spam pages are relative, so the links just go to more spam pages on my site.

I see about 15 pages in Google Webmaster Tools (showing as having too short of meta descriptions), but I have no idea how to find them all.

1) How do I find out how these pages are being parsed? Since the pages don't exist in the directory, they're obviously being redirected somehow... but where is the source code?

2) How do I block the spammer?

3) What the heck is going on?!?

Thanks in advance everyone.
2:09 am on Jun 22, 2010 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



try using the "Fetch as Googlebot" feature in GWT.
perhaps that will expose something or at least give you some clues.
2:50 am on Jun 22, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Check your htaccess files for redirects or includes, change your passwords and check your logs to see if you can spot when the hack took place. That might help you spot how your site was hacked.

Also check with your host, maybe someone else's site was hacked which let the hacker gain access to more sites on the same server. Not much you can do about that but at least you will know if your site is secure on it's own.
4:46 am on Jun 22, 2010 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If you are on shared hosting, the hacker could have inserted code in the central httpd.conf file which adds malicious links to all sites which are served by that server. In that case you won't find the pages on your site. Your host can check if something is wrong in their central config file. If the pages are on your site, they may also be able to find out how the spammer created them. Informing your host about the spam issue is therefore a good thing to do.
8:59 am on Jun 22, 2010 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Noticed you said "database" run a check on meta descriptions in your database for length to find the "short ones".
12:15 pm on Jun 22, 2010 (gmt 0)

5+ Year Member



In addition to the other advice you've received,

the pages are sometimes put into the site in encoded form.

Try searching the source code of your pages for the string "base64_decode".


When I click on the link, the page comes up and the URL still lists my site. However, I cannot find the page in the directory on my server OR in my database.

Since the pages don't exist in the directory, they're obviously being redirected somehow.

If the URL still shows your site, it may be that the requests are being rewritten (a different page served than the one requested, without informing the visitor's browser that this has been done) rather than redirected (which sends a message BACK to the visitor's browser to please request the different page).

The question is whether the bad pages are inside your site or whether visitors are being redirected. The circumstances seem to suggest that the bad pages are hidden in your site somewhere.

For further investigation, the Firefox add-on called Live HTTP Headers will show you in real time whether any actual redirects (301, 302) are occurring.

If you turn off JavaScript, that would make it impossible for window.location (document.location) code to do a redirect. That is, if you go to a page and get redirected, but when you turn off JS, you *don't* get redirected, it means that redirect was being done with JS, though I tend to doubt that's the case here.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month