Solved

This site may be hacked

Posted on 2015-02-02
14
452 Views
Last Modified: 2015-06-11
Hi,
 
I have a website and when someone type in search workd, this site comes up on the first result page on google, but it displays the message:
DomainName.biz/‎Cached

"This site may be hacked."

When I log in webmaster tools website using my login, I see the following message under "Security Issues" section.

URL injection (These pages appear to be created by a hacker with the intent of spamming search results.)
http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php 9/8/14


When I click "Site Messages", I see five of  the same message:
Hacking suspected: http://www.DomainName.biz/  1/9/15
Hacking suspected: http://www.DomainName.biz/  12/9/14
Hacking suspected: http://www.DomainName.biz/  11/9/14
....
Hacking suspected: http://www.DomainName.biz/  9/9/15

The infection occured on Sep 2014. At that time, no one could access website with some type of message in red color. Since then 3d-instruktor-22-rustorka.php page has been removed from the site and the site has been running fine.
However when some users google the keyword and when the website comes up, it still displays the warning: "This site may be hacked."


I can't even submit "Request a Review" to google because the Request button is recessed.

What can I take care of this problem?
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 23

Expert Comment

by:Michael Fowler
ID: 40585350
Do you have a backup of the site code from before the hack? If so then restoring this could be easiest answer to get the site up and running quickly. Of course you would still need to determine the security flaw and fix it
0
 

Author Comment

by:sglee
ID: 40585499
I will have to ask web hosting company about the backups, but I highly doubt that they can go back to Sep. 2014.
0
 
LVL 17

Accepted Solution

by:
Chris Harte earned 167 total points
ID: 40586070
It looks like Google scanned your site whilst you were hacked and is showing that cached version in the search results. Ask for a rescan to see if that helps

https://support.google.com/webmasters/answer/6065812?hl=en
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:sglee
ID: 40586152
@MunterMan,

  I requested the Fetch and will post results.
0
 
LVL 17

Assisted Solution

by:Lucas Bishop
Lucas Bishop earned 333 total points
ID: 40595239
First, the number one issue you want to resolve is the security hole. Someone was injecting code into your site and if you don't patch this issue, it will continue to happen. Simply removing the file or rolling back to a previous version is not a fix.

If you don't fix the issue, then the site get's re-indexed by google, then the injection takes place again, it may become even harder to resolve with Google.

Are you using an outdated script? Old version of wordpress? Old forum software? You'll want to hunt down the culprit asap.

Once this is taken care of you should then request a review. Make sure you fill out a sentence to explain what you did to fix the issue, in order to submit the review request. Spam reviews can take multiple weeks to process per Google:

Reviews for sites hacked with spam may require up to several weeks to process. This is because spam reviews can involve manual investigation or a complete reprocessing of the hacked pages. If the review is approved, Security Issues will no longer display hacked category types or example hacked URLs.
0
 

Author Comment

by:sglee
ID: 40595241
Lucas,
  Is there a software that I can buy to find or search for security hole in coding?
0
 
LVL 17

Assisted Solution

by:Lucas Bishop
Lucas Bishop earned 333 total points
ID: 40595248
Sglee, there's a few things I'd recommend.

First, virus scan on the local computer of the site administrator. It could be that a virus on your computer has caused the password to be shared (keystroke logger) with a malicious user when you logged in a long time ago. This would be the easiest thing to check.

Also, change all passwords on the server (ftp, database, etc).

On the server side though, there could be many culprits. Based on the message Google gave you, it appears there is an "open redirect"  vulnerability that may have been leveraged.  You'll want to look at the different applications/plugins/etc that you have installed on your site and check what version they are. Then go to the developer's web site and see if there are newer patched versions available that you should install.

You may want to contact your web host and notify them that your site was hacked and see if they have any insight. Maybe one of their control panel applications was outdated back in September and everyone on the server got hacked. If they fixed it, they'd likely let you know. They would also probably be open to reviewing your site and giving you feedback on a potential culprit. Some hosts don't provide this much support though, so your mileage may vary.
0
 

Author Comment

by:sglee
ID: 40595255
I will discuss your suggestions with ISP.
0
 

Author Comment

by:sglee
ID: 40601691
I am happy to report that "Hacked" has been finally removed and I received an email from Google:

----------------------------------------------------------------------------------------------------------------------
Subject: Reconsideration request processed for http://www.DomainName.biz/

Dear Webmaster of http://www.DomainName.biz/

We have processed the reconsideration request from a site owner for http://www.DomainName.biz/. The site has been reviewed for violations of our quality guidelines. Any manual spam actions applied to the site have been revoked or adjusted where appropriate.

----------------------------------------------------------------------------------------------------------------------
0
 
LVL 17

Expert Comment

by:Lucas Bishop
ID: 40601733
Congrats! Don't forget to lock-down those passwords & old scripts.

-L
0
 

Author Comment

by:sglee
ID: 40601750
Lucas,
 
 Since we are on the subject, let me ask you a question.
When google detected: "http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php "
(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
(3) What ddd you mean by "Lock down old scripts"?

I manage several websites and they are all the same except this particular hacked website uses WORDPRESS and this is only site that has ever been hacked.
0
 
LVL 17

Expert Comment

by:Lucas Bishop
ID: 40601826

(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
The current version of Wordpress is 4.1. If you are using an older version, your site is at risk of having security holes. Many plugins have vulnerabilities and you need to check in the Plugin area of your admin regularly to see if updates are available.

Odds are you have an out of date script on your site and the hacker discovered this and exploited it. They likely did not even need your password to do this.  They may have installed a backdoor so they can come back and do the same thing all over again.

(3) What ddd you mean by "Lock down old scripts"?
By lock down old scripts I mean, make sure that you are not running the 'old' versions of Wordpress or any Plugins. Install the latest versions whenever they are made available.

I'd recommend taking a look at this plugin:
https://wordpress.org/plugins/wordfence/
0
 

Author Comment

by:sglee
ID: 40601839
Thank you for additional information and I appreciate it.
0
 

Expert Comment

by:Shahriar Shohag
ID: 40823942
Hello SGLEE,
Thanks for sharing your problem. I also face the same problem. So need your help how you solve the problem. Kindly reply me. Thanks in advance for reading me.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question