Thread: Site Hacked

    #1
  1. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,087
    Rep Power
    5082

    Site Hacked


    I do realize this may be in the wrong forum and that hardly anyone visits anymore so I may not get an answer soon, but figured I'd try.

    We have a site that was recently hacked, and files were uploaded (on what seems to be 3 different days within a week).
    It is a wordpress site (not by my choice). I seem to have removed all of the infected/malware related files, including the .htaccess and
    the sitemap.txt (listed as sitenap.txt) file. The sitenap file seemed to have a TON of entries, and now the Googlebot is constantly crawling
    all of the URL's that were in the sitenap file... none of the URL's in that file actually exist.

    How do I get Google to stop a constant crawl of the non-existent sites? The site is currently suspended, and I have put in an order to have
    them review it and remove the suspension, but seeing what else I can do. I have submitted a new sitemap request (although because of the
    suspension, not sure if it'll go through).

    The site is not currently setup with Google Webmaster Tools.

    Thanks for any input (whenever I may receive it).
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  2. #2
  3. Headless Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,977
    Rep Power
    9647
    If you're responding with 404s then Google will stop in time. Otherwise what you've done so far is right, plus anything else that might be available with the Webmaster Tools.
  4. #3
  5. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,087
    Rep Power
    5082
    Originally Posted by requinix
    If you're responding with 404s then Google will stop in time. Otherwise what you've done so far is right, plus anything else that might be available with the Webmaster Tools.
    Thanks. In viewing the latest visitor log, its showing a nonstop log of google bots for the past 4 minutes (which is 300 visits). The status shown is 302. Still waiting on site to become unsuspended before I do anything else (including Webmaster Tools), because none of the online tools can see it currently.

    I removed all the infected files and the sitemap prior to midnight last night, and it's still crawling at about 75 crawls per minute, so was getting concerned.
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  6. #4
  7. Headless Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,977
    Rep Power
    9647
    If Google thinks there's a lot to index then they'll do that.

    But 302? That's a temporary redirect. You need to respond with a 404 or with a 301 (permanent redirect) or else spiders will keep hitting those URLs. You should change that sooner rather than later.
  8. #5
  9. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,087
    Rep Power
    5082
    Thanks.

    I have ErrorDocument 404 in .htaccess. Is there a certain way for me to change the response to 404? (The host they are using is Hostgator).
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  10. #6
  11. Headless Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,977
    Rep Power
    9647
    It depends what these URLs are. Apparently they don't exist, which is why there's a 302, but the redirect means it's a redirect somewhere.

    What are some examples of these URLs? Do you know how your site and application is handling them and, perhaps most interestingly, where these redirects are to?
  12. #7
  13. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,087
    Rep Power
    5082
    None of these files existed, and they are all in the sitenap file:
    <url>
    <loc>http://www.domain.com/autosupplies-hi8_9ab9_5g7_6MY-55262.vvds</loc>
    <lastmod>2016-06-21</lastmod>
    <changefreq>daily</changefreq>
    <priority>0.8</priority>
    </url>
    <url>
    <loc>http://www.domain.com/zipponewjp-kK2_8eJ5_7B1_1qB-5389.vvds</loc>
    <lastmod>2016-06-21</lastmod>
    <changefreq>daily</changefreq>
    <priority>0.8</priority>
    </url>
    <url>
    <loc>http://www.domain.com/reasonablecar-ri7_9HP1_9s6_4yj-7851.vvds</loc>
    <lastmod>2016-06-21</lastmod>
    <changefreq>daily</changefreq>
    <priority>0.8</priority>
    </url>

    There are hundreds (or even more than 1000) of these.
    Also, I have removed all files from the server for now as I wanted to make sure it was cleaned (and I have loaded a restore from 2 years ago).

    It looks like they are all being redirected to: hy dot jpssale dot com

    Not sure how they are handling them, but here is .htaccess:
    Code:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^(.*)-(.*)-([0-9]+)\.vvds$ /wp-includes/file.php?uu=$1-$2-$3 [L]
    RewriteRule ^google(.*)\.html$ /wp-includes/file.php?google=$1 [L]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    file.php:
    Code:
    <?php
    /*
    
    redacted by requinix
    
    if ?uu is set {
    	if Googlebot UA then {
    		proxy a thing from the spammy site
    	} else {
    		use a <script> redirect
    	}
    }
    if ?google is set {
    	echo "google-site-verification: google-" . ?google value . ".html" and quit
    }
    
    */
    ?>
    Last edited by requinix; July 7th, 2016 at 09:28 AM. Reason: unlinked and obfuscated that domain name; redacted code
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  14. #8
  15. Headless Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,977
    Rep Power
    9647
    If you haven't notice it, I edited your post to unlink the domain name and to paraphrase the code from that PHP file. Don't want to give undue credit to that spam domain, and don't want their code being available for anyone to view.

    Those URLs were being proxied through the PHP code - loading the content from that one site and displaying it on your own. If you weren't sure of what it was doing.

    If your current .htaccess has the same WordPress URL rewriting stuff then the 302s are likely because WordPress is redirecting from the bad URLs to something else. In principle it really should be 404ing them instead, since whatever page was requested does not actually exist, but if that's not an option to set up then I recommend reinstating the .htaccess changes the malware added except making them respond with a 404 instead. So
    Code:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^(.*)-(.*)-([0-9]+)\.vvds$ - [L,R=404]
    RewriteRule ^google(.*)\.html$ - [L,R=404]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    If you have a legitimate google*.html verification file then the above needs to be changed to allow that one through.

    You would keep that up until you've convinced Google not to attempt indexing any of the previous URLs. And then a while longer until you've seen that there's virtually no traffic to them at all (because there are other spiders besides Google's, of course). And then a while longer still.

    Comments on this post

    • hiker agrees
  16. #9
  17. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,087
    Rep Power
    5082
    Awesome. Thanks for the help / info (and for editing my post from above).
    "I don't need to get a life. I'm a gamer. I have lots of lives!"

IMN logo majestic logo threadwatch logo seochat tools logo