Website Hacked - Where Are Spam Pages? - Webmaster General forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Website Hacked - Where Are Spam Pages?

Hacker created new pages on site, can't find them, how to delete them?

suga

12:50 am on Jun 22, 2010 (gmt 0)

Noticed in Google Webmaster Tools a bunch of pages on my site that I didn't create. When I click on the link, the page comes up and the URL still lists my site. However, I cannot find the page in the directory on my server OR in my database. All links on the new spam pages are relative, so the links just go to more spam pages on my site.

I see about 15 pages in Google Webmaster Tools (showing as having too short of meta descriptions), but I have no idea how to find them all.

1) How do I find out how these pages are being parsed? Since the pages don't exist in the directory, they're obviously being redirected somehow... but where is the source code?

2) How do I block the spammer?

3) What the heck is going on?!?

Thanks in advance everyone.

phranque

2:09 am on Jun 22, 2010 (gmt 0)

try using the "Fetch as Googlebot" feature in GWT.
perhaps that will expose something or at least give you some clues.

too much information

2:50 am on Jun 22, 2010 (gmt 0)

Check your htaccess files for redirects or includes, change your passwords and check your logs to see if you can spot when the hack took place. That might help you spot how your site was hacked.

Also check with your host, maybe someone else's site was hacked which let the hacker gain access to more sites on the same server. Not much you can do about that but at least you will know if your site is secure on it's own.

lammert

4:46 am on Jun 22, 2010 (gmt 0)

If you are on shared hosting, the hacker could have inserted code in the central httpd.conf file which adds malicious links to all sites which are served by that server. In that case you won't find the pages on your site. Your host can check if something is wrong in their central config file. If the pages are on your site, they may also be able to find out how the spammer created them. Informing your host about the spam issue is therefore a good thing to do.

tangor

8:59 am on Jun 22, 2010 (gmt 0)

Noticed you said "database" run a check on meta descriptions in your database for length to find the "short ones".

SteveWh

12:15 pm on Jun 22, 2010 (gmt 0)

In addition to the other advice you've received,

the pages are sometimes put into the site in encoded form.

Try searching the source code of your pages for the string "base64_decode".

When I click on the link, the page comes up and the URL still lists my site. However, I cannot find the page in the directory on my server OR in my database.

Since the pages don't exist in the directory, they're obviously being redirected somehow.

If the URL still shows your site, it may be that the requests are being rewritten (a different page served than the one requested, without informing the visitor's browser that this has been done) rather than redirected (which sends a message BACK to the visitor's browser to please request the different page).

The question is whether the bad pages are inside your site or whether visitors are being redirected. The circumstances seem to suggest that the bad pages are hidden in your site somewhere.

For further investigation, the Firefox add-on called Live HTTP Headers will show you in real time whether any actual redirects (301, 302) are occurring.

If you turn off JavaScript, that would make it impossible for window.location (document.location) code to do a redirect. That is, if you go to a page and get redirected, but when you turn off JS, you *don't* get redirected, it means that redirect was being done with JS, though I tend to doubt that's the case here.