Welcome to WebmasterWorld Guest from 54.196.42.8

Forum Moderators: open

Have I been hacked?

Site page appears as sub-domain in Google

     
1:07 am on Jul 4, 2018 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2211
votes: 136


I'm not sure if this is the proper place - anyhoo I added a new page to my site a few days ago.

https://www.example.com/directory/new-page-on-widgets.htm

Checking in Google search today using the page title "New Page on Widgets" as search term gave a position five - up came my page, with description etc - with one startling exception.

https://ti.example.com/directory/new-page-on-widgets.htm

Ideas anyone - yes I have contacted my host.

It has got me beat for the moment.
8:30 am on July 4, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11393
votes: 157


do you have a hostname canonicalization redirect in place?
what happens when you request this url?
you should get a 301 redirect to the equivalent path on the www hostname...

[edited by: phranque at 7:17 am (utc) on Jul 6, 2018]

8:35 am on July 4, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12334
votes: 805


Check out how your host handles subdomains. You may need to change or add an A Record.
9:44 pm on July 4, 2018 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2211
votes: 136


For me the issue is entirely why it appears that way in Google. I don't use subdomains. This URL

https://ti.example.com/directory/new-page-on-widgets.htm

Isn't mine, so how the hell did my new page end up in Google that way?

How does
 https://www.example.com morph into https://ti.example.com
at Google?

A dopey error of sorts, or was it something malicious?
10:12 pm on July 4, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8567
votes: 668


Have you heard back from your host? (BTW, you do have a pre-change back of your site, right?)
3:28 am on July 5, 2018 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2211
votes: 136


BTW, you do have a pre-change back of your site, right?

The only thing I know about pre-change is if you intend to change your domain name, which of course isn't my intention.

Why I am so worried is if your click on the link - https://ti.example.com/directory/new-page-on-widgets.htm
- provided by Google search you are sent to a page [as if it really exists on my site] which says:
This site is not secure
This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.
Recommended iconClose this tab
More information More information

Of course my site is in fact secure, and the correct URL causes no problems.

What at Google search substituted ti. for www.?

There are no subdomains on my site at all
4:14 am on July 5, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3910
votes: 223


The "not secure" message is likely only because your certificate doesn't include ti. as a subdomain.

Have you seen any traffic logged to that URL - including Google's bots?
Have you tried submitting the actual URL using "Fetch as Google" in the old GSC?
Made sure something hasn't accidentally created a link to that /ti. URL in an edit or sitemap?
Have you checked headers when trying to visit that URL?
Do "visits" trigger a 500 error?

Not that I think you haven't checked, just can't think of anything that might have gotten that link into Google's sights.

4:25 am on July 5, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12334
votes: 805


What at Google search substituted ti. for www.?
Nothing. Google doesn't invent URLs, it only discovers them.

As I said above, you need to get the answer from your host. This is where the URL is being created. Google just found it and added it to the index.

Also, this is not a hack.

FTP to your site file heirachy. Look above root. Unhide any hidden files. If the subdomain exists, you should see it.
6:40 am on July 5, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12334
votes: 805


So if you do not see this subdomain "ti" anywhere on your account, and your server admin can't explain it...

...then the logical explanation is that another site placed a link to your site but misspelled the URL either accidentally, or by design and Google crawled it.

The placeholder "www" can really be anything. That's why ti.example.com points to your site, and as not2easy explained, you get a browser security warning because this address is not valid for your security certificate.

These things happen. I see lots of URL errors in GSC every week. Some are just pages no longer on my server, but many are non-existent URLs that have no explanation.
8:18 am on July 5, 2018 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2211
votes: 136


There is absolutely nothing my host nor myself can identify on the server. Nothing at all.

I have requested Google delete the proper URL. I'll wait awhile and see what happens, if it goes away then I'll resubmit the page.

BTW there is no way I can see the source code of that page.
8:27 am on July 5, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:25472
votes: 743


BTW there is no way I can see the source code of that page.

No cache in Google?
What about wayback machine - of course, if it's too new it won't be there.
8:40 am on July 5, 2018 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2211
votes: 136


Page is only a couple of days old mate

For the technically minded our internet service has been switched from ADSL via phone line over to what was supposed to be fibre optic.

In regional areas you get a hybrid. No matter what you get though - if you have a power blackout you lose your VOIP telephone.

A long story, but a mini cyclone [hurricane] through here a few years back left us without power for over a week. My old landline phone continued to work, not so mobile phones without means of charging until the local club provided charging suites powered by a generator, then the phone tower flat batteries closed the phones down anyway after a few days.

There was a serious medical emergency [not mine] and having an old land line phone I was able call an ambulance. With this new fangled broadband thingy? No electricity, no phone, no ambulance.

I teach electronics. This project page was an uninterruptable power supply designed to solely power my modem. Pull it out of the 240V power point, and you can still make a telephone call - mission accomplished at a cost of around $A 70.00 about $US 50.00. The cheapest commercial UPS cost nearly twice that...

Repairing, building, modifying things is what I do for recreation and entertainment.
8:58 am on July 5, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:25472
votes: 743


Might still be a google cache, but, then, i guess you would have seen that already. Aaaah, well, just a thought.

Any server raw logs?

What about Search Console?
9:05 am on July 5, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12334
votes: 805


I looked at the page.

ti.example.com is the same exact mark-up as www.example.com

As I said, www or ti or whatever is just a place holder for a sub-domain, but you don't have a sub-domain configured on your account so it just goes to your index page.
1:11 pm on July 5, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:12157
votes: 348


Quick thoughts off the top of my head...

Any chance you've got wildcard subdomains enabled in your DNS A-records? Wildcard DNS is open to all kinds of mischief and errors.

Also, one of the first things to look for when you think you've been hijacked is whether the site that appears in the serps mimicks changes of your page content in real time, or whether it's been scraped and is a static version. "Live" realtime changes that also show up in the serps suggest DNS or proxy hijacking of some sort, whereas scraped pages that don't respond to realtime changes suggest other mechanisms.

Compare Google results with results in, say, Bing (or local requests for your pages via direct url requests, without a search engine) to see if there's a difference.

BTW there is no way I can see the source code of that page.
Can you explain why that is. Are the pages in ti subdomain further cloaked, or do they redirect when you examine them. That would also suggest hacking. There are a million ways hackers might try to prevent you from accessing a page.

And looking at your site using fetch as Googlebot might provide other clues.

11:09 pm on July 5, 2018 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2211
votes: 136


I have requested Google delete the proper URL. I'll wait awhile and see what happens, if it goes away then I'll resubmit the page.

Did that yesterday - problem now resolved - correct URL alone now appears in Google search results.

Weird

Thanks to all
11:22 pm on July 5, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8567
votes: 668


The end result is what's important, yet, the mystery remains! How cool is that? I see a major movie in the wings. :)

More seriously, good result. On to the next adventure...
7:39 am on July 6, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11393
votes: 157


Any chance you've got wildcard subdomains enabled in your DNS A-records? Wildcard DNS is open to all kinds of mischief and errors.

have you verified that you don't have wildcard subdomains implemented at your dns?

Did that yesterday - problem now resolved - correct URL alone now appears in Google search results.

you may be addressing the results but i don't think you have solved the cause.

Have you checked headers when trying to visit that URL?

my questions still stand unanswered:
do you have a hostname canonicalization redirect in place?
what happens when you request this url?
9:06 am on July 6, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12334
votes: 805


what happens when you request this url?
I answered that above.

It was the same mark-up as the normal index page... because it was the same page only the cert didn't apply to that odd sub-domain placeholder, so the browser was displaying a warning.

I agree that the cause of this URL has not been discovered, but also as I said above, maybe it is as simple as a 3rd party backlink with a typo.

I see all kinds of strange URLs for my sites, most unexplained. Always have.
12:50 pm on July 6, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11393
votes: 157


I answered that above.

headers?
status code (chain)?

regardless of how or where it was discovered, if the hostname is noncanonical it should be redirected with a 301 status code instead of providing a 200 OK response.