[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

This site may be hacked

Hi,
 
I have a website and when someone type in search workd, this site comes up on the first result page on google, but it displays the message:
DomainName.biz/‎Cached

"This site may be hacked."

When I log in webmaster tools website using my login, I see the following message under "Security Issues" section.

URL injection (These pages appear to be created by a hacker with the intent of spamming search results.)
http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php 9/8/14


When I click "Site Messages", I see five of  the same message:
Hacking suspected: http://www.DomainName.biz/  1/9/15
Hacking suspected: http://www.DomainName.biz/  12/9/14
Hacking suspected: http://www.DomainName.biz/  11/9/14
....
Hacking suspected: http://www.DomainName.biz/  9/9/15

The infection occured on Sep 2014. At that time, no one could access website with some type of message in red color. Since then 3d-instruktor-22-rustorka.php page has been removed from the site and the site has been running fine.
However when some users google the keyword and when the website comes up, it still displays the warning: "This site may be hacked."


I can't even submit "Request a Review" to google because the Request button is recessed.

What can I take care of this problem?
0
sglee
Asked:
sglee
3 Solutions
 
Michael FowlerSolutions ConsultantCommented:
Do you have a backup of the site code from before the hack? If so then restoring this could be easiest answer to get the site up and running quickly. Of course you would still need to determine the security flaw and fix it
0
 
sgleeAuthor Commented:
I will have to ask web hosting company about the backups, but I highly doubt that they can go back to Sep. 2014.
0
 
Chris HarteThaumaturgeCommented:
It looks like Google scanned your site whilst you were hacked and is showing that cached version in the search results. Ask for a rescan to see if that helps

https://support.google.com/webmasters/answer/6065812?hl=en
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
sgleeAuthor Commented:
@MunterMan,

  I requested the Fetch and will post results.
0
 
Lucas BishopClick TrackerCommented:
First, the number one issue you want to resolve is the security hole. Someone was injecting code into your site and if you don't patch this issue, it will continue to happen. Simply removing the file or rolling back to a previous version is not a fix.

If you don't fix the issue, then the site get's re-indexed by google, then the injection takes place again, it may become even harder to resolve with Google.

Are you using an outdated script? Old version of wordpress? Old forum software? You'll want to hunt down the culprit asap.

Once this is taken care of you should then request a review. Make sure you fill out a sentence to explain what you did to fix the issue, in order to submit the review request. Spam reviews can take multiple weeks to process per Google:

Reviews for sites hacked with spam may require up to several weeks to process. This is because spam reviews can involve manual investigation or a complete reprocessing of the hacked pages. If the review is approved, Security Issues will no longer display hacked category types or example hacked URLs.
0
 
sgleeAuthor Commented:
Lucas,
  Is there a software that I can buy to find or search for security hole in coding?
0
 
Lucas BishopClick TrackerCommented:
Sglee, there's a few things I'd recommend.

First, virus scan on the local computer of the site administrator. It could be that a virus on your computer has caused the password to be shared (keystroke logger) with a malicious user when you logged in a long time ago. This would be the easiest thing to check.

Also, change all passwords on the server (ftp, database, etc).

On the server side though, there could be many culprits. Based on the message Google gave you, it appears there is an "open redirect"  vulnerability that may have been leveraged.  You'll want to look at the different applications/plugins/etc that you have installed on your site and check what version they are. Then go to the developer's web site and see if there are newer patched versions available that you should install.

You may want to contact your web host and notify them that your site was hacked and see if they have any insight. Maybe one of their control panel applications was outdated back in September and everyone on the server got hacked. If they fixed it, they'd likely let you know. They would also probably be open to reviewing your site and giving you feedback on a potential culprit. Some hosts don't provide this much support though, so your mileage may vary.
0
 
sgleeAuthor Commented:
I will discuss your suggestions with ISP.
0
 
sgleeAuthor Commented:
I am happy to report that "Hacked" has been finally removed and I received an email from Google:

----------------------------------------------------------------------------------------------------------------------
Subject: Reconsideration request processed for http://www.DomainName.biz/

Dear Webmaster of http://www.DomainName.biz/

We have processed the reconsideration request from a site owner for http://www.DomainName.biz/. The site has been reviewed for violations of our quality guidelines. Any manual spam actions applied to the site have been revoked or adjusted where appropriate.

----------------------------------------------------------------------------------------------------------------------
0
 
Lucas BishopClick TrackerCommented:
Congrats! Don't forget to lock-down those passwords & old scripts.

-L
0
 
sgleeAuthor Commented:
Lucas,
 
 Since we are on the subject, let me ask you a question.
When google detected: "http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php "
(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
(3) What ddd you mean by "Lock down old scripts"?

I manage several websites and they are all the same except this particular hacked website uses WORDPRESS and this is only site that has ever been hacked.
0
 
Lucas BishopClick TrackerCommented:

(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
The current version of Wordpress is 4.1. If you are using an older version, your site is at risk of having security holes. Many plugins have vulnerabilities and you need to check in the Plugin area of your admin regularly to see if updates are available.

Odds are you have an out of date script on your site and the hacker discovered this and exploited it. They likely did not even need your password to do this.  They may have installed a backdoor so they can come back and do the same thing all over again.

(3) What ddd you mean by "Lock down old scripts"?
By lock down old scripts I mean, make sure that you are not running the 'old' versions of Wordpress or any Plugins. Install the latest versions whenever they are made available.

I'd recommend taking a look at this plugin:
https://wordpress.org/plugins/wordfence/
0
 
sgleeAuthor Commented:
Thank you for additional information and I appreciate it.
0
 
Shahriar ShohagCommented:
Hello SGLEE,
Thanks for sharing your problem. I also face the same problem. So need your help how you solve the problem. Kindly reply me. Thanks in advance for reading me.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now