More threads by JoshuaMackens

JoshuaMackens

Local Search Expert
Joined
Sep 12, 2012
Messages
1,975
Reaction score
592
So, normally I might write a blog post about this but I don't have the time. However, this does need to be cataloged so that if someone runs into this same issue, you have some documentation on what to do.

If this had already been out there when I had this problem, it would have been fixed a month and a half ago.

A client of mine was hacked about a month and a half ago. Their website was infiltrated, about 1,250+ pages about viagra, cialis, and levitra (sp?) were uploaded, and then I found over 5,000+ backlinks from 700+ websites through webmaster tools.

I don't know why we were targeted. It may have been a negative SEO attack (most likely) or I guess, it could have been done to use our website to manipulate someone else's ranking. However, I found no evidence of hyperlinks on the manufactured pages on our website linking out to anyone else. So, if anyone else knows a reason for this, I'm all ears.

Anyways, if this happens to you, it sounds worse than it really is. The clean up is actually quite simple, even if it is somewhat time consuming.

The first thing you need to do is clean up your website.

1) Get rid of the offending pages. Luckily for me, they uploaded them all to the subdirectory domain.com/wpsite/. I was able to go in, delete just the directory, no problem.

2) Once cleaned up, update WordPress, update all plugins (if on WordPress), change admin password (consider even creating a fresh new admin account), etc. You may even want to consider changing ftp/cpanel password as well. You just want to try to close any major loopholes you can that might allow the offenders back in.

If someone else wants to chime in on any other possible loopholes, please feel free.

3) After you've done this, it's time to blast the backlinks.

If you caught it soon enough, webmaster tools should have a report on all of the backlinks. Go to webmaster tools and download the latest sample of backlinks. Put it in an excel file and do some sorting.

The sorting method I went through took me about 30 minutes to sort through 5,000'ish backlinks. I used excel and I was very happy (accuracy-wise) with the results. Again, I don't have a lot of time today to explain it but if this does happen to someone and you're interested in the method, just reply to this thread and I will post how I went about it. It's not a secret and it's certainly not complicated, I'm just crunched for time. No sense in doing it now if no one ends up needing it :)

Once you have an exhaustive list of the offending backlinks (IMPORTANT: don't catch good backlinks in the process!), go ahead and disavow them.

When it comes to disavow, I disavow entire domains. Doing just backlinks is time consuming and disavowing domains would cover any future attacks from that domain as well. 2 birds, 1 stone.

4) Finally, once you do that, you need to get Google to take the pages out of their index. What would be really nice is if you noticed the attack before Google did.

Do a site:domain.com in Google and if you don't have any of the pages in the search results, congrats! You're pretty much done. You can check "content keywords" in GWT just to make sure nothing is wrong but you should be good (if viagra, cialis, levitra, etc. is in your content keywords, Google picked them up and you will need this next step).

However, if you were like me and Google did pick up the offending pages, we have to get Google to deindex them.

There is a tool in Google Webmaster Tools called "Remove URL's" under "Google Index". This tool allows you to request a page on your site be removed from the index. It has to be approved but in my case, the requests were approved within 24 hours.

If you have 1,000+ pages, you're in for a long manual process. I would suggest hiring someone on Odesk to manually do that for you. However, if you're "lucky" and all the pages are in a subfolder, you can actually request Google remove the entire subdirectory itself by using the same tool and just typing in the subdirectory. CAUTION: make sure not to remove good pages!

That's it!

As for my story, I did everything above within 2 weeks of the hack except for the index removal. I expected Google to see the 404's and drop them from the index immediately. Even after a month, they had not.

So, yesterday, I requested the subdirectory be removed from the index and voila! Today I check with a site:domain.com and all of the pages are gone!

Even better, I checked our ranking today and we went up about 10 spots across the board for our main keywords.

Talk about results.

Happy hacker busting!
 
This happens to wordpress sites all the time, as they're easily hacked & vulnerable. Usually with pharmaceutical content it's not negative SEO, but actually hackers trying to get into sites to sell links on. They'll upload a subdirectory and then sell links in SAPE (or other link-selling websites) on those pages. Because the main pages aren't effected, sometimes the website owner doesn't notice and they could sell links for months before anyone does notice. By that time they've made $5/link x 10 links per page x how many pages they put on there, and generated some easy cash.
People will pay a hefty price for pharmaceutical links, so that's the type of content these sites are usually hacked with.

It's worth making a SAPE account just to check that any of your clients domains arn't showing up there or anywhere they have links coming from arn't also selling links on SAPE. You might need to brush up on your Russian though ;)

Thanks for sharing the step-by-step for removal/clean up!
 
One caveat: I had a WordPress site hacked last year and the added files were not just in one directory of the site but scattered in several directories. The hackers were using PHP files to send out hundreds of spam and/or pornographic emails an hour.

Access seemed to be originally through a vulnerability in a custom pro theme but even after that was removed the hackers returned via leftover files. Trying to find and remove all the added files proved frustrating and they kept getting back in through leftover backdoor PHP files. This was despite changing passwords for everything at least three times. Only that one site on my server was affected.

Eventually, I backed up the database and settings and wiped the entire domain. I then uploaded a brand new version of the latest WordPress and the latest plugins I needed. That site has now been secure and malware free for several months, thank goodness.

A further note: It's not that WordPress sites are easily hacked so much as it's essential that you keep all core files, plug-ins, and themes up to date as security vulnerabilities are patched.
 
Cheers Joshuaha for such a handy write up to relate back to if needed, I was a victim of this at Christmas and I'm still not back online :( I was just getting started with my new site had all the pages and copy finished and was in the process of tidying up tags Js & css files lobbed the site into cognetive seo app and found:
.
ingcom/blog/
ingcom
ingcom/y
ingcm/a/
ingcom/weibo/
ingcom/zip
ingcom/weibo/
ingcom/tankezip
ingcom/weibozip
ingcom/weiborar
ingcom/weibo#/
ingcom/webconfig
ingcom/xyxtjjcom/
ingcom/xcpbxycom/
ingcom/tnxjsjcom/
ingcom/DirListrar
ingcom/dzxfxjcom/
ingcom/mqzyjycom/
ingcom/gtxsljcom/
ingcom/nlxsljcom/
ingcom/lbxqxjcom/
ingcom/jaxqxjcom/
ingcom/nyxmzjcom/
ingcom/jctxxycom/
ingcom/haxlyjcom/
ingcom/fyxfxjcom/
ingcom/fkxcjrcom/
ingcom/qajjxyco
igcom/rcxdljcom/
ingcom/qdsmzjcom/
ingcom/dzzljscom/
ingcom/shgtjgbcom/
ingcom/dxxfxkhcom/
ingcom/tcjsjdjcom/
ingcom/sydszxcom/
ingcom/shsjsbcom/
ingcom/dbfcgljcom/
ingcom/sdxfxkhcom/
ingcom/qsxzeducom/
ingcom/yykjeducom/
ingcom/dwcxjsjcom
ingcom/zwgkdlscom/
ingcom/yzjdgljcom/
ingcom/ylxkqzjcom/
ingcom/xmjyzsccom/
ingcom/xhxcsglcom/
ingcom/tjslwyhcom/

That's only a few of them I ended up having to delete the site and start all over again because like djbaxter was saying they were getting back in to his, and a mate of mine had the same issue in his case they had hidden shell scripts of some sort and were just starting over each time.

It's certainly has been a learning curve for me anyway and a hard one at that thing is they are still at it on a daily basis, I installed wordfence security and it gives you live stats of what visitors are doing I'm constantly having to manually block their IP'S and login attempts they are relentless and very annoying.

Wordfence is a good plugin I think I would be hacked again only for it cheers guys/gals for the write up.
 
Cheers Joshuaha for such a handy write up to relate back to if needed, I was a victim of this at Christmas and I'm still not back online :( I was just getting started with my new site had all the pages and copy finished and was in the process of tidying up tags Js & css files lobbed the site into cognetive seo app and found:
.
ingcom/blog/
ingcom
ingcom/y
ingcm/a/
ingcom/weibo/
ingcom/zip
ingcom/weibo/
ingcom/tankezip
ingcom/weibozip
ingcom/weiborar
ingcom/weibo#/
ingcom/webconfig
ingcom/xyxtjjcom/
ingcom/xcpbxycom/
ingcom/tnxjsjcom/
ingcom/DirListrar
ingcom/dzxfxjcom/
ingcom/mqzyjycom/
ingcom/gtxsljcom/
ingcom/nlxsljcom/
ingcom/lbxqxjcom/
ingcom/jaxqxjcom/
ingcom/nyxmzjcom/
ingcom/jctxxycom/
ingcom/haxlyjcom/
ingcom/fyxfxjcom/
ingcom/fkxcjrcom/
ingcom/qajjxyco
igcom/rcxdljcom/
ingcom/qdsmzjcom/
ingcom/dzzljscom/
ingcom/shgtjgbcom/
ingcom/dxxfxkhcom/
ingcom/tcjsjdjcom/
ingcom/sydszxcom/
ingcom/shsjsbcom/
ingcom/dbfcgljcom/
ingcom/sdxfxkhcom/
ingcom/qsxzeducom/
ingcom/yykjeducom/
ingcom/dwcxjsjcom
ingcom/zwgkdlscom/
ingcom/yzjdgljcom/
ingcom/ylxkqzjcom/
ingcom/xmjyzsccom/
ingcom/xhxcsglcom/
ingcom/tjslwyhcom/

That's only a few of them I ended up having to delete the site and start all over again because like djbaxter was saying they were getting back in to his, and a mate of mine had the same issue in his case they had hidden shell scripts of some sort and were just starting over each time.

It's certainly has been a learning curve for me anyway and a hard one at that thing is they are still at it on a daily basis, I installed wordfence security and it gives you live stats of what visitors are doing I'm constantly having to manually block their IP'S and login attempts they are relentless and very annoying.

Wordfence is a good plugin I think I would be hacked again only for it cheers guys/gals for the write up.

Wow, that really sucks.

Let us know if you find a way to keep them out permanently!
 
You'll probably want to ensure you're using some stronger security on your WP install. Personally I recommend these guys: https://wordpress.org/plugins/wordfence/ (which others have recommended)

I would checksum all your .php files to ensure they've not hashed a back-door into your install as well (wordfence will do this for you).

About 6 months ago I had a similar attack on a friends website that I had to sort out (Cialis links all over the place). It could be negative SEO, but typically it is someone who is hijacking domains to pass authority for some kind of affiliate marketing technique.

Good luck, not a fun problem to have to deal with. Additionally I might modify your DB connections to make sure they can't SQL inject an admin account for further nefarious purposes.

EDIT: The paid version of wordfence allows for black-listing countries. Which is a useful tool if you're marketing a local business :)
 
I realized what's happening.

Did some further digging and all the backlinks that were pointing to us were from other infected sites. Some WordPress, some not.

The pages are using "cloaking". They're setting content on the website for Google to crawl but then they put a <frame> over it to show an actual website that says the pharmaceuticals themselves.

When you go to the bare URL on your own, there is no page. The only way to access it is through Google search results. When you do, the frame opens up and the pharmaceutical website is sitting there on the page.

When you look at the source code, there's just the frame in the html, that's it. When you look at the cache, there's a ton of content. I wonder why the content isn't in the source code along with the frame?
 

Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

LocalU Event

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Top Bottom