[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

This site may be hacked

Posted on 2015-02-02
14
Medium Priority
?
511 Views
Last Modified: 2015-06-11
Hi,
 
I have a website and when someone type in search workd, this site comes up on the first result page on google, but it displays the message:
DomainName.biz/‎Cached

"This site may be hacked."

When I log in webmaster tools website using my login, I see the following message under "Security Issues" section.

URL injection (These pages appear to be created by a hacker with the intent of spamming search results.)
http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php 9/8/14


When I click "Site Messages", I see five of  the same message:
Hacking suspected: http://www.DomainName.biz/  1/9/15
Hacking suspected: http://www.DomainName.biz/  12/9/14
Hacking suspected: http://www.DomainName.biz/  11/9/14
....
Hacking suspected: http://www.DomainName.biz/  9/9/15

The infection occured on Sep 2014. At that time, no one could access website with some type of message in red color. Since then 3d-instruktor-22-rustorka.php page has been removed from the site and the site has been running fine.
However when some users google the keyword and when the website comes up, it still displays the warning: "This site may be hacked."


I can't even submit "Request a Review" to google because the Request button is recessed.

What can I take care of this problem?
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 23

Expert Comment

by:Michael Fowler
ID: 40585350
Do you have a backup of the site code from before the hack? If so then restoring this could be easiest answer to get the site up and running quickly. Of course you would still need to determine the security flaw and fix it
0
 

Author Comment

by:sglee
ID: 40585499
I will have to ask web hosting company about the backups, but I highly doubt that they can go back to Sep. 2014.
0
 
LVL 17

Accepted Solution

by:
Chris Harte earned 668 total points
ID: 40586070
It looks like Google scanned your site whilst you were hacked and is showing that cached version in the search results. Ask for a rescan to see if that helps

https://support.google.com/webmasters/answer/6065812?hl=en
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 

Author Comment

by:sglee
ID: 40586152
@MunterMan,

  I requested the Fetch and will post results.
0
 
LVL 18

Assisted Solution

by:Lucas Bishop
Lucas Bishop earned 1332 total points
ID: 40595239
First, the number one issue you want to resolve is the security hole. Someone was injecting code into your site and if you don't patch this issue, it will continue to happen. Simply removing the file or rolling back to a previous version is not a fix.

If you don't fix the issue, then the site get's re-indexed by google, then the injection takes place again, it may become even harder to resolve with Google.

Are you using an outdated script? Old version of wordpress? Old forum software? You'll want to hunt down the culprit asap.

Once this is taken care of you should then request a review. Make sure you fill out a sentence to explain what you did to fix the issue, in order to submit the review request. Spam reviews can take multiple weeks to process per Google:

Reviews for sites hacked with spam may require up to several weeks to process. This is because spam reviews can involve manual investigation or a complete reprocessing of the hacked pages. If the review is approved, Security Issues will no longer display hacked category types or example hacked URLs.
0
 

Author Comment

by:sglee
ID: 40595241
Lucas,
  Is there a software that I can buy to find or search for security hole in coding?
0
 
LVL 18

Assisted Solution

by:Lucas Bishop
Lucas Bishop earned 1332 total points
ID: 40595248
Sglee, there's a few things I'd recommend.

First, virus scan on the local computer of the site administrator. It could be that a virus on your computer has caused the password to be shared (keystroke logger) with a malicious user when you logged in a long time ago. This would be the easiest thing to check.

Also, change all passwords on the server (ftp, database, etc).

On the server side though, there could be many culprits. Based on the message Google gave you, it appears there is an "open redirect"  vulnerability that may have been leveraged.  You'll want to look at the different applications/plugins/etc that you have installed on your site and check what version they are. Then go to the developer's web site and see if there are newer patched versions available that you should install.

You may want to contact your web host and notify them that your site was hacked and see if they have any insight. Maybe one of their control panel applications was outdated back in September and everyone on the server got hacked. If they fixed it, they'd likely let you know. They would also probably be open to reviewing your site and giving you feedback on a potential culprit. Some hosts don't provide this much support though, so your mileage may vary.
0
 

Author Comment

by:sglee
ID: 40595255
I will discuss your suggestions with ISP.
0
 

Author Comment

by:sglee
ID: 40601691
I am happy to report that "Hacked" has been finally removed and I received an email from Google:

----------------------------------------------------------------------------------------------------------------------
Subject: Reconsideration request processed for http://www.DomainName.biz/

Dear Webmaster of http://www.DomainName.biz/

We have processed the reconsideration request from a site owner for http://www.DomainName.biz/. The site has been reviewed for violations of our quality guidelines. Any manual spam actions applied to the site have been revoked or adjusted where appropriate.

----------------------------------------------------------------------------------------------------------------------
0
 
LVL 18

Expert Comment

by:Lucas Bishop
ID: 40601733
Congrats! Don't forget to lock-down those passwords & old scripts.

-L
0
 

Author Comment

by:sglee
ID: 40601750
Lucas,
 
 Since we are on the subject, let me ask you a question.
When google detected: "http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php "
(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
(3) What ddd you mean by "Lock down old scripts"?

I manage several websites and they are all the same except this particular hacked website uses WORDPRESS and this is only site that has ever been hacked.
0
 
LVL 18

Expert Comment

by:Lucas Bishop
ID: 40601826

(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
The current version of Wordpress is 4.1. If you are using an older version, your site is at risk of having security holes. Many plugins have vulnerabilities and you need to check in the Plugin area of your admin regularly to see if updates are available.

Odds are you have an out of date script on your site and the hacker discovered this and exploited it. They likely did not even need your password to do this.  They may have installed a backdoor so they can come back and do the same thing all over again.

(3) What ddd you mean by "Lock down old scripts"?
By lock down old scripts I mean, make sure that you are not running the 'old' versions of Wordpress or any Plugins. Install the latest versions whenever they are made available.

I'd recommend taking a look at this plugin:
https://wordpress.org/plugins/wordfence/
0
 

Author Comment

by:sglee
ID: 40601839
Thank you for additional information and I appreciate it.
0
 

Expert Comment

by:Shahriar Shohag
ID: 40823942
Hello SGLEE,
Thanks for sharing your problem. I also face the same problem. So need your help how you solve the problem. Kindly reply me. Thanks in advance for reading me.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question