Whirlpool

Hey Guys,

Thought I would ask some questions here as I have struggled to find any answers anywhere. So any help would be much appreciated.

I own a t-shirt printing business that derived a large percentage of leads from high SE rankings.

I was training a new employee on Monday and began showing her how we get our leads. I started searching our keywords and we weren't ranking. I got that horrible sick feeling.

Anyway I started looking into the problem and we were only ranking for our business name. So I took a look at Googles cached record of the page. Low and behold down the right sidebar was a massive list of porn links. See here – http://74.125.153.132/search?q=cache:k8r7EBmtz4wJ:www.psionline.com.au/+psi+screen+printing&cd=1&hl=en&ct=clnk&gl=au

So I found the file for the newsletter signup module in the sidebar. It had a PHP include that called another file in a directory that we hadn't used for a long time. So I cleaned it all up.

My question is...although I have cleaned it up, the cached page from Google still shows all the links and it says that cached page was crawled only few hours ago...but I sorted this all on Monday.

Any ideas on this? Could it still be hiding somewhere or does Google just use an old version of the page?

Any help would be much appreciated as we really need to try and get ranking again ASAP...our 8 staff are getting a little worried.

Thanks

you can get google to remove the incorrect indexing. use the webmaster tools.

Hi katweazl,

Sorry to hear about your situation, just make sure your treating the cause too and not just the fallout/symptons.

It might be worth getting a few hours of time from an external firm to give your site a quick audit to see if there was any obvious security holes that were exploited. Sometimes a fresh set of eyes will see things that people who deal with the site regularly might miss. I'm sure the loss to your business if this occurs again would exceed the cost of the audit, not to mention piece of mind.

If your application doesn't appear to exhibit any flaws that could of been exploited, I would look at your hosting environment. Do you have the correct file permissions? Does your provider have a track record of sites getting "hacked"? Was anyone else on your provider effected?

Thirdly, for a company that depends on its website so much, you should have some form of dashboard that notifies you if a) the website is down, unavailable, or unusually slow b) if the site content has changed; this might save you in future as you would have a window to resolve the situation before google indexes it.

Best of luck getting the situation resolved!

haz31 writes...

It might be worth getting a few hours of time from an external firm to give your site a quick audit to see if there was any obvious security holes that were exploited.

This.

and btw, are you using Suhosin?

ironheart writes...

you can get google to remove the incorrect indexing. use the webmaster tools.

Thanks Ironheart...have done this.

haz31 writes...

It might be worth getting a few hours of time from an external firm to give your site a quick audit to see if there was any obvious security holes that were exploited.

Is there anyone you would recommend haz31? Or what should I Google to find such a firm?

haz31 writes...

you should have some form of dashboard that notifies you if a) the website is down, unavailable, or unusually slow b) if the site content has changed;

I am using Wordpress as a CMS. What software could you recommend to do this for me?

Thanks for all the advice!!

Any ideas on the fact that Google shows the links are still there on the cached page they have even though I have removed them? (as far as I know)

Thanks

katweazl writes...

Any ideas on the fact that Google shows the links are still there on the cached page they have even though I have removed them? (as far as I know)

It wouldn't be an automatic deletion, It would be added to a list and then at a certain time they all get pruned at once. Possibly every 12 hours or so, Just a guess.

CookieMuncher writes...

It wouldn't be an automatic deletion, It would be added to a list and then at a certain time they all get pruned at once. Possibly every 12 hours or so, Just a guess.

Hm my understanding was that there was human intervention in the process somewhere, that someone at Google vets the requests before actually culling. Just in case I try to remove your search results, perhaps

An update....

I checked Googles cached page again. I noticed something this time. The links were different and now point to different destination. So although I can't see the links on the current home page they show up on Googles cached version. See – http://74.125.153.132/search?q=cache:k8r7EBmtz4wJ:www.psionline.com.au/+psi+screen+printing&cd=1&hl=en&ct=clnk&gl=au

I really don't know where to go from here. Obviously the problem is still there but looking on my site I can't see it.

Any thoughts?

Do a site wide search for newsletter_text, that is the id of the DIV tag surrounding all those links. Which possible also means its jscript taking a feed from somewhere and displaying it, maybe doing it only if its a bot(google bot).

I had this happen with a bunch of early Joomla sites, it was so frustrating trying to find where it was coming from but I finally did :)

Turned out to be an exploit in a wysiwyg editor (third party component) that I was using. It allowed access to the image/gallery directory. Maybe your wordpress site has similar problem.

Have a look in your image directory. Anything that doesn't have an image extention should be considered very sus. As soon as I deleted my sus files and upgraded my component to the latest version my problems didn't come back.

Good luck ....

katweazl writes...

Any thoughts?

Install WP Firewall and WP Anti Virus via your plugins installer.

I can access your wp-admin screen, and i shouldn't be able to.

Those two plugins will

1: protect your Admin screen; and
2: let you run a full screen of all your WP files for any known exploits such as the eval(64) exploit which is what I think you had.

hey just as a side note, most of the comments on your site are from your competitors trying to get a sneaky back link. i suggest you disable and remove comments on your site (its not really needed anyway)

Cant solve your problem but someone will be in touch ref tshirt printing on Monday :)

Rummpy writes...

Cant solve your problem but someone will be in touch ref tshirt printing on Monday :)

Actually that reminds me, I might need some shirts done. I wonder if he does small quantities?

pixelkitty writes...

I can access your wp-admin screen, and i shouldn't be able to.

Do you mean, by typing www.domain.com/wp-admin/? If that is the case, how would you login to the admin panel if you "shouldn't be able to" access it?

I did some Googling and found that you can change the /wp-admin/ page via htaccess. Might look into it. :-)

-Juzman- writes...

I did some Googling and found that you can change the /wp-admin/ page via htaccess. Might look into it. :-)

Instead of using htaccess, why not use the ready-made plugin instead?

If you can access the admin screen, you can brute force (and in cases where you know the website owner, simply guess) the login credentials too easily.

Make it harder for the hackers – use secure URLs for your admin page and regularly run the virus screening.

pixelkitty writes...

Instead of using htaccess, why not use the ready-made plugin instead?

What is the name of the ready-made plugin?

I've found Admin-SSL (but can't seem to get the shared-ssl working). I have also renamed the username from the default "admin" too.

-Juzman- writes...

What is the name of the ready-made plugin?

Stealth Login.

pixelkitty writes...

Stealth Login.

Thanks for that pixelkitty. :-) Now to create a login link that is easy to remember, but unlikely to be typed in. :P

Edit: After looking at it, it just changes the /wp-admin/ link via .htaccess. This in turn causes issues editing posts or the theme. Looks like I shall be disabling it and sticking with just /wp-admin/ and WP Firewall.

-Juzman- writes...

Now to create a login link that is easy to remember, but unlikely to be typed in. :P

I used 1Password to generate a random character string for me.

pixelkitty writes...

I used 1Password to generate a random character string for me.

Ah, I never have used that type of thing. Removed the plugin anyway (see my edited post as to why).

-Juzman- writes...

This in turn causes issues editing posts or the theme.

I haven't had an issue with any of the sites I've installed it on.

Must be that damn Russian
mob at it again!

Might be just me, but your site appears to be down.

pixelkitty writes...

I haven't had an issue with any of the sites I've installed it on.

Ah okay. I tried editing some template files and when I clicked save it loaded a blank page since it was trying to access /wp-admin/.

I'm more interested in getting the CNAME going for m.domain.com to point to domain.com and load a mobile template. Had issues trying to get it going with a sub-domain.

Hopefully with CNAME in place I can add a redirect with htaccess to redirect mobile requests to m.domain.com.

When I had it setup with subdomain it wouldn't work properly (too many redirects) in Safari on iPhone.

-Juzman- writes...

I'm more interested in getting the CNAME going for m.domain.com

I'd start a new thread, instead of hijacking this one :)

Thanks to everyone for their suggestions.

We found a little bit of code that we missed that called the php file from an unused directory.

We removed the code and the whole directory that had been compromised.

Next morning everything re-indexed and back to normal. THANK GOODNESS!!

Anyway many lessons learned...protect my site a little more, put some eggs in some more baskets as far as marketing goes, I can't just rely on organic search, it could change at any moment. We have to work on more offline/list based stuff.

Thanks for all the help...if you need t-shirts let us know www.psionline.com.au – Shameless plug :) sorry!!

pixelkitty writes...

I'd start a new thread, instead of hijacking this one :)

Haha yeah. Sorry katweazl. Glad you got it all fixed up. :-)