Solved

This site may be hacked

Posted on 2015-02-02
14
396 Views
Last Modified: 2015-06-11
Hi,
 
I have a website and when someone type in search workd, this site comes up on the first result page on google, but it displays the message:
DomainName.biz/‎Cached

"This site may be hacked."

When I log in webmaster tools website using my login, I see the following message under "Security Issues" section.

URL injection (These pages appear to be created by a hacker with the intent of spamming search results.)
http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php 9/8/14


When I click "Site Messages", I see five of  the same message:
Hacking suspected: http://www.DomainName.biz/  1/9/15
Hacking suspected: http://www.DomainName.biz/  12/9/14
Hacking suspected: http://www.DomainName.biz/  11/9/14
....
Hacking suspected: http://www.DomainName.biz/  9/9/15

The infection occured on Sep 2014. At that time, no one could access website with some type of message in red color. Since then 3d-instruktor-22-rustorka.php page has been removed from the site and the site has been running fine.
However when some users google the keyword and when the website comes up, it still displays the warning: "This site may be hacked."


I can't even submit "Request a Review" to google because the Request button is recessed.

What can I take care of this problem?
0
Comment
Question by:sglee
14 Comments
 
LVL 23

Expert Comment

by:Michael74
ID: 40585350
Do you have a backup of the site code from before the hack? If so then restoring this could be easiest answer to get the site up and running quickly. Of course you would still need to determine the security flaw and fix it
0
 

Author Comment

by:sglee
ID: 40585499
I will have to ask web hosting company about the backups, but I highly doubt that they can go back to Sep. 2014.
0
 
LVL 16

Accepted Solution

by:
Chris Harte earned 167 total points
ID: 40586070
It looks like Google scanned your site whilst you were hacked and is showing that cached version in the search results. Ask for a rescan to see if that helps

https://support.google.com/webmasters/answer/6065812?hl=en
0
 

Author Comment

by:sglee
ID: 40586152
@MunterMan,

  I requested the Fetch and will post results.
0
 
LVL 16

Assisted Solution

by:Lucas Bishop
Lucas Bishop earned 333 total points
ID: 40595239
First, the number one issue you want to resolve is the security hole. Someone was injecting code into your site and if you don't patch this issue, it will continue to happen. Simply removing the file or rolling back to a previous version is not a fix.

If you don't fix the issue, then the site get's re-indexed by google, then the injection takes place again, it may become even harder to resolve with Google.

Are you using an outdated script? Old version of wordpress? Old forum software? You'll want to hunt down the culprit asap.

Once this is taken care of you should then request a review. Make sure you fill out a sentence to explain what you did to fix the issue, in order to submit the review request. Spam reviews can take multiple weeks to process per Google:

Reviews for sites hacked with spam may require up to several weeks to process. This is because spam reviews can involve manual investigation or a complete reprocessing of the hacked pages. If the review is approved, Security Issues will no longer display hacked category types or example hacked URLs.
0
 

Author Comment

by:sglee
ID: 40595241
Lucas,
  Is there a software that I can buy to find or search for security hole in coding?
0
 
LVL 16

Assisted Solution

by:Lucas Bishop
Lucas Bishop earned 333 total points
ID: 40595248
Sglee, there's a few things I'd recommend.

First, virus scan on the local computer of the site administrator. It could be that a virus on your computer has caused the password to be shared (keystroke logger) with a malicious user when you logged in a long time ago. This would be the easiest thing to check.

Also, change all passwords on the server (ftp, database, etc).

On the server side though, there could be many culprits. Based on the message Google gave you, it appears there is an "open redirect"  vulnerability that may have been leveraged.  You'll want to look at the different applications/plugins/etc that you have installed on your site and check what version they are. Then go to the developer's web site and see if there are newer patched versions available that you should install.

You may want to contact your web host and notify them that your site was hacked and see if they have any insight. Maybe one of their control panel applications was outdated back in September and everyone on the server got hacked. If they fixed it, they'd likely let you know. They would also probably be open to reviewing your site and giving you feedback on a potential culprit. Some hosts don't provide this much support though, so your mileage may vary.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:sglee
ID: 40595255
I will discuss your suggestions with ISP.
0
 

Author Comment

by:sglee
ID: 40601691
I am happy to report that "Hacked" has been finally removed and I received an email from Google:

----------------------------------------------------------------------------------------------------------------------
Subject: Reconsideration request processed for http://www.DomainName.biz/

Dear Webmaster of http://www.DomainName.biz/

We have processed the reconsideration request from a site owner for http://www.DomainName.biz/. The site has been reviewed for violations of our quality guidelines. Any manual spam actions applied to the site have been revoked or adjusted where appropriate.

----------------------------------------------------------------------------------------------------------------------
0
 
LVL 16

Expert Comment

by:Lucas Bishop
ID: 40601733
Congrats! Don't forget to lock-down those passwords & old scripts.

-L
0
 

Author Comment

by:sglee
ID: 40601750
Lucas,
 
 Since we are on the subject, let me ask you a question.
When google detected: "http://DomainName/index.php?do=/3d-instruktor-22-rustorka.php "
(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
(3) What ddd you mean by "Lock down old scripts"?

I manage several websites and they are all the same except this particular hacked website uses WORDPRESS and this is only site that has ever been hacked.
0
 
LVL 16

Expert Comment

by:Lucas Bishop
ID: 40601826

(1) How did the hacker got into the folder in FTP? Loose password?
(2) What do they mean by "URL Injection"? Can you explain to me in plain english?
The current version of Wordpress is 4.1. If you are using an older version, your site is at risk of having security holes. Many plugins have vulnerabilities and you need to check in the Plugin area of your admin regularly to see if updates are available.

Odds are you have an out of date script on your site and the hacker discovered this and exploited it. They likely did not even need your password to do this.  They may have installed a backdoor so they can come back and do the same thing all over again.

(3) What ddd you mean by "Lock down old scripts"?
By lock down old scripts I mean, make sure that you are not running the 'old' versions of Wordpress or any Plugins. Install the latest versions whenever they are made available.

I'd recommend taking a look at this plugin:
https://wordpress.org/plugins/wordfence/
0
 

Author Comment

by:sglee
ID: 40601839
Thank you for additional information and I appreciate it.
0
 

Expert Comment

by:Shahriar Shohag
ID: 40823942
Hello SGLEE,
Thanks for sharing your problem. I also face the same problem. So need your help how you solve the problem. Kindly reply me. Thanks in advance for reading me.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now